From aeda53004e79c7ddb76815b2a6e09ab431ccad9d Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Wed, 14 May 2025 16:57:34 +0400 Subject: [PATCH 01/27] severity mapping --- dojo/tools/wizcli_common_parsers/parsers.py | 26 ++++++++++++++------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/dojo/tools/wizcli_common_parsers/parsers.py b/dojo/tools/wizcli_common_parsers/parsers.py index dbd9583b598..f6d9d33ddaa 100644 --- a/dojo/tools/wizcli_common_parsers/parsers.py +++ b/dojo/tools/wizcli_common_parsers/parsers.py @@ -1,17 +1,27 @@ from dojo.models import Finding +logger = logging.getLogger(__name__) + +# Mapping from Wiz severities to DefectDojo severities +SEVERITY_MAPPING = { + "CRITICAL": "Critical", + "HIGH": "High", + "MEDIUM": "Medium", + "LOW": "Low", + "INFORMATIONAL": "Info", + "INFO": "Info", + "UNKNOWN": "Info", # Default for unknown severities +} + class WizcliParsers: @staticmethod - def parse_libraries(libraries, test): - findings = [] - if libraries: - for library in libraries: - lib_name = library.get("name", "N/A") - lib_version = library.get("version", "N/A") - lib_path = library.get("path", "N/A") - vulnerabilities = library.get("vulnerabilities", []) + def get_severity(severity_str): + """Maps Wiz severity strings to DefectDojo standard TitleCase.""" + if severity_str: + return SEVERITY_MAPPING.get(severity_str.upper(), "Info") + return "Info" # Default if severity is missing or None for vulnerability in vulnerabilities: vuln_name = vulnerability.get("name", "N/A") From 0f6830ebce8ada842f3a621a0f4b6a1482d1eef3 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Wed, 14 May 2025 16:58:13 +0400 Subject: [PATCH 02/27] extract reference link if present in scan output --- dojo/tools/wizcli_common_parsers/parsers.py | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/dojo/tools/wizcli_common_parsers/parsers.py b/dojo/tools/wizcli_common_parsers/parsers.py index f6d9d33ddaa..55b231dcf1d 100644 --- a/dojo/tools/wizcli_common_parsers/parsers.py +++ b/dojo/tools/wizcli_common_parsers/parsers.py @@ -23,16 +23,14 @@ def get_severity(severity_str): return SEVERITY_MAPPING.get(severity_str.upper(), "Info") return "Info" # Default if severity is missing or None - for vulnerability in vulnerabilities: - vuln_name = vulnerability.get("name", "N/A") - severity = vulnerability.get("severity", "low").lower().capitalize() - fixed_version = vulnerability.get("fixedVersion", "N/A") - source = vulnerability.get("source", "N/A") - description = vulnerability.get("description", "N/A") - score = vulnerability.get("score", "N/A") - exploitability_score = vulnerability.get("exploitabilityScore", "N/A") - has_exploit = vulnerability.get("hasExploit", False) - has_cisa_kev_exploit = vulnerability.get("hasCisaKevExploit", False) + @staticmethod + def extract_reference_link(text): + """Extracts potential URL from remediation instructions.""" + if not text: + return None + # Basic regex to find URLs, might need refinement + match = re.search(r"(https?://[^\s)]+)", text) + return match.group(1) if match else None finding_description = ( f"**Library Name**: {lib_name}\n" From d019619c673e8bb64d74ec0c1b3f1207eb5b8f54 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Wed, 14 May 2025 16:58:55 +0400 Subject: [PATCH 03/27] improved parsing and implimented generation of unique id for deduplication --- dojo/tools/wizcli_common_parsers/parsers.py | 113 +++++++++++++++++--- 1 file changed, 100 insertions(+), 13 deletions(-) diff --git a/dojo/tools/wizcli_common_parsers/parsers.py b/dojo/tools/wizcli_common_parsers/parsers.py index 55b231dcf1d..f520d9b74ab 100644 --- a/dojo/tools/wizcli_common_parsers/parsers.py +++ b/dojo/tools/wizcli_common_parsers/parsers.py @@ -32,19 +32,106 @@ def extract_reference_link(text): match = re.search(r"(https?://[^\s)]+)", text) return match.group(1) if match else None - finding_description = ( - f"**Library Name**: {lib_name}\n" - f"**Library Version**: {lib_version}\n" - f"**Library Path**: {lib_path}\n" - f"**Vulnerability Name**: {vuln_name}\n" - f"**Fixed Version**: {fixed_version}\n" - f"**Source**: {source}\n" - f"**Description**: {description}\n" - f"**Score**: {score}\n" - f"**Exploitability Score**: {exploitability_score}\n" - f"**Has Exploit**: {has_exploit}\n" - f"**Has CISA KEV Exploit**: {has_cisa_kev_exploit}\n" - ) + @staticmethod + def _generate_unique_id(components: list) -> str: + """ + Generates a stable unique ID for findings. + + Args: + components: List of components to use for ID generation + + """ + # Filter out None and empty values + filtered_components = [str(c).strip() for c in components if c is not None and str(c).strip()] + + # Sort components for consistent order regardless of input order + filtered_components = sorted(filtered_components) + + id_string = "|".join(filtered_components) + hash_object = hashlib.sha256(id_string.encode("utf-8")) + return hash_object.hexdigest() + + @staticmethod + def parse_libraries(libraries_data, test): + """ + Parses library vulnerability data into granular DefectDojo findings. + Creates one finding per unique vulnerability (CVE/ID) per library instance (name/version/path). + """ + findings_list = [] + if not libraries_data: + return findings_list + + for lib_item in libraries_data: + lib_name = lib_item.get("name", "N/A") + lib_version = lib_item.get("version", "N/A") + lib_path = lib_item.get("path", "N/A") + lib_line = lib_item.get("startLine") + + vulnerabilities_in_lib_instance = lib_item.get("vulnerabilities", []) + if not vulnerabilities_in_lib_instance: + continue + + for vuln_data in vulnerabilities_in_lib_instance: + vuln_name = vuln_data.get("name", "N/A") + severity_str = vuln_data.get("severity") + severity = WizcliParsers.get_severity(severity_str) + fixed_version = vuln_data.get("fixedVersion") + source_url = vuln_data.get("source", "N/A") + vuln_description_from_wiz = vuln_data.get("description") + score_str = vuln_data.get("score") + has_exploit = vuln_data.get("hasExploit", False) + has_cisa_kev_exploit = vuln_data.get("hasCisaKevExploit", False) + + title = f"{lib_name} {lib_version} - {vuln_name}" + + description_parts = [ + f"**Vulnerability**: `{vuln_name}`", + f"**Severity**: {severity}", + f"**Library**: `{lib_name}`", + f"**Version**: `{lib_version}`", + f"**Path/Manifest**: `{lib_path}`", + ] + if lib_line is not None: + description_parts.append(f"**Line in Manifest**: {lib_line}") + + if fixed_version: + description_parts.append(f"**Fixed Version**: {fixed_version}") + mitigation = f"Update `{lib_name}` to version `{fixed_version}` or later in path/manifest `{lib_path}`." + else: + description_parts.append("**Fixed Version**: N/A") + mitigation = f"No fixed version available from Wiz. Investigate `{vuln_name}` for `{lib_name}` in `{lib_path}` and apply vendor guidance or risk acceptance." + + description_parts.append(f"**Source**: {source_url}") + if vuln_description_from_wiz: + description_parts.append(f"\n**Details from Wiz**:\n{vuln_description_from_wiz}\n") + if score_str is not None: + description_parts.append(f"**CVSS Score (from Wiz)**: {score_str}") + description_parts.extend([ + f"**Has Exploit (Known)**: {has_exploit}", + f"**In CISA KEV**: {has_cisa_kev_exploit}", + ]) + + failed_policies = vuln_data.get("failedPolicyMatches", []) + if failed_policies: + description_parts.append("\n**Failed Policies**:") + for match in failed_policies: + policy = match.get("policy", {}) + description_parts.append(f"- {policy.get('name', 'N/A')} (ID: {policy.get('id', 'N/A')})") + ignored_policies = vuln_data.get("ignoredPolicyMatches", []) + if ignored_policies: + description_parts.append("\n**Ignored Policies**:") + for match in ignored_policies: + policy = match.get("policy", {}) + reason = match.get("ignoreReason", "N/A") + description_parts.append(f"- {policy.get('name', 'N/A')} (ID: {policy.get('id', 'N/A')}), Reason: {reason}") + + full_description = "\n".join(description_parts) + references = source_url if source_url != "N/A" else None + + # Generate unique ID using stable components including file path + unique_id = WizcliParsers._generate_unique_id( + [lib_name, lib_version, vuln_name, lib_path], + ) finding = Finding( title=f"{lib_name} - {vuln_name}", From f89d858ee3055c2571918b124f7e86e37d0d9507 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Wed, 14 May 2025 17:00:34 +0400 Subject: [PATCH 04/27] improved scan result parsers for dir, iac, img scan results --- dojo/tools/wizcli_common_parsers/parsers.py | 425 ++++++++++++++------ 1 file changed, 300 insertions(+), 125 deletions(-) diff --git a/dojo/tools/wizcli_common_parsers/parsers.py b/dojo/tools/wizcli_common_parsers/parsers.py index f520d9b74ab..e20c7a9dec3 100644 --- a/dojo/tools/wizcli_common_parsers/parsers.py +++ b/dojo/tools/wizcli_common_parsers/parsers.py @@ -1,3 +1,7 @@ +import hashlib +import logging +import re + from dojo.models import Finding logger = logging.getLogger(__name__) @@ -133,141 +137,312 @@ def parse_libraries(libraries_data, test): [lib_name, lib_version, vuln_name, lib_path], ) - finding = Finding( - title=f"{lib_name} - {vuln_name}", - description=finding_description, - file_path=lib_path, - severity=severity, - static_finding=True, - dynamic_finding=False, - mitigation=None, - test=test, - ) - findings.append(finding) - return findings + finding = Finding( + test=test, + title=title, + description=full_description, + severity=severity, + mitigation=mitigation, + file_path=lib_path, + line=lib_line if lib_line is not None else 0, + component_name=lib_name, + component_version=lib_version, + static_finding=True, + dynamic_finding=False, + unique_id_from_tool=unique_id, + vuln_id_from_tool=vuln_name, + references=references, + active=True, # Always set as active since we don't have status from Wiz + ) + if score_str is not None: + try: + finding.cvssv3_score = float(score_str) + except (ValueError, TypeError): + logger.warning(f"Could not convert score '{score_str}' to float for finding '{title}'.") + if isinstance(vuln_name, str) and vuln_name.upper().startswith("CVE-"): + finding.cve = vuln_name + findings_list.append(finding) + return findings_list + + @staticmethod + def parse_secrets(secrets_data, test): + """Parses secret findings into granular DefectDojo findings.""" + findings_list = [] + if not secrets_data: + return findings_list + for secret in secrets_data: + secret_description = secret.get("description", "Secret detected") + secret_type = secret.get("type", "UNKNOWN_TYPE") + file_path = secret.get("path", "N/A") + line_number = secret.get("lineNumber") + severity_str = secret.get("severity") + severity = WizcliParsers.get_severity(severity_str) + title = f"Secret Detected: {secret_description} ({secret_type})" + description_parts = [ + f"**Type**: `{secret_type}`", + f"**Description**: {secret_description}", + f"**File**: `{file_path}`", + ] + if line_number is not None: + description_parts.append(f"**Line**: {line_number}") + details = secret.get("details", {}) + detail_type = details.get("__typename") + if detail_type == "DiskScanSecretDetailsPassword": + description_parts.append("\n**Password Details**:") + if (pw_len := details.get("length")) is not None: + description_parts.append(f"- Length: {pw_len}") + if (is_complex := details.get("isComplex")) is not None: + description_parts.append(f"- Complex: {is_complex}") + elif detail_type == "DiskScanSecretDetailsCloudKey": + description_parts.append("\n**Cloud Key Details**:") + if (provider_id := details.get("providerUniqueID")): + description_parts.append(f"- Provider Unique ID: {provider_id}") + if (key_type_num := details.get("keyType")) is not None: + description_parts.append(f"- Key Type Code: {key_type_num}") + if (is_long_term := details.get("isLongTerm")) is not None: + description_parts.append(f"- Long Term Key: {is_long_term}") + + failed_policies = secret.get("failedPolicyMatches", []) + if failed_policies: + description_parts.append("\n**Failed Policies**:") + for match in failed_policies: + policy = match.get("policy", {}) + description_parts.append(f"- {policy.get('name', 'N/A')} (ID: {policy.get('id', 'N/A')})") + + full_description = "\n".join(description_parts) + mitigation = "Rotate the exposed secret immediately. Remove the secret from the specified file path and line. Store secrets securely using a secrets management solution. Review commit history." + + # Generate unique ID using stable components + unique_id = WizcliParsers._generate_unique_id( + [secret_type, file_path, str(line_number) if line_number is not None else "0"], + ) + + finding = Finding( + test=test, + title=title, + description=full_description, + severity=severity, + mitigation=mitigation, + file_path=file_path, + line=line_number if line_number is not None else 0, + static_finding=True, + dynamic_finding=False, + unique_id_from_tool=unique_id, + active=True, # Always set as active since we don't have status from Wiz + ) + findings_list.append(finding) + return findings_list + + @staticmethod + def parse_os_packages(os_packages_data, test): + """Parses OS package vulnerabilities into granular DefectDojo findings.""" + findings_list = [] + if not os_packages_data: + return findings_list + for os_pkg in os_packages_data: + pkg_name = os_pkg.get("name", "N/A") + pkg_version = os_pkg.get("version", "N/A") + vulnerabilities = os_pkg.get("vulnerabilities", []) + if not vulnerabilities: + continue + for vuln_data in vulnerabilities: + vuln_name = vuln_data.get("name", "N/A") + severity_str = vuln_data.get("severity") + severity = WizcliParsers.get_severity(severity_str) + fixed_version = vuln_data.get("fixedVersion") + source_url = vuln_data.get("source", "N/A") + vuln_description_from_wiz = vuln_data.get("description") + score_str = vuln_data.get("score") + has_exploit = vuln_data.get("hasExploit", False) + has_cisa_kev_exploit = vuln_data.get("hasCisaKevExploit", False) + title = f"OS Pkg: {pkg_name} {pkg_version} - {vuln_name}" + description_parts = [ + f"**Vulnerability**: `{vuln_name}`", + f"**Severity**: {severity}", + f"**OS Package**: `{pkg_name}`", + f"**Version**: `{pkg_version}`", + ] + if fixed_version: + description_parts.append(f"**Fixed Version**: {fixed_version}") + mitigation = f"Update OS package `{pkg_name}` to version `{fixed_version}` or later." + else: + description_parts.append("**Fixed Version**: N/A") + mitigation = f"Patch or update OS package `{pkg_name}` as per vendor advisory for `{vuln_name}`." + description_parts.append(f"**Source**: {source_url}") + if vuln_description_from_wiz: + description_parts.append(f"\n**Details from Wiz**:\n{vuln_description_from_wiz}\n") + if score_str is not None: + description_parts.append(f"**CVSS Score (from Wiz)**: {score_str}") + description_parts.extend([ + f"**Has Exploit (Known)**: {has_exploit}", + f"**In CISA KEV**: {has_cisa_kev_exploit}", + ]) + failed_policies = vuln_data.get("failedPolicyMatches", []) + if failed_policies: + description_parts.append("\n**Failed Policies**:") + for match in failed_policies: + policy = match.get("policy", {}) + description_parts.append(f"- {policy.get('name', 'N/A')} (ID: {policy.get('id', 'N/A')})") + ignored_policies = vuln_data.get("ignoredPolicyMatches", []) + if ignored_policies: + description_parts.append("\n**Ignored Policies**:") + for match in ignored_policies: + policy = match.get("policy", {}) + description_parts.append(f"- {policy.get('name', 'N/A')} (ID: {policy.get('id', 'N/A')})") + + full_description = "\n".join(description_parts) + references = source_url if source_url != "N/A" else None + + # Generate unique ID using stable components + unique_id = WizcliParsers._generate_unique_id( + [pkg_name, pkg_version, vuln_name], + ) + + finding = Finding( + test=test, + title=title, + description=full_description, + severity=severity, + mitigation=mitigation, + static_finding=True, + dynamic_finding=False, + unique_id_from_tool=unique_id, + vuln_id_from_tool=vuln_name, + references=references, + active=True, # Always set as active since we don't have status from Wiz + ) + if score_str is not None: + try: + finding.cvssv3_score = float(score_str) + except (ValueError, TypeError): + logger.warning(f"Could not convert score '{score_str}' to float for finding '{title}'.") + if isinstance(vuln_name, str) and vuln_name.upper().startswith("CVE-"): + finding.cve = vuln_name + findings_list.append(finding) + return findings_list @staticmethod - def parse_secrets(secrets, test): - findings = [] - if secrets: - for secret in secrets: - secret_id = secret.get("id", "N/A") - desc = secret.get("description", "N/A") - severity = "High" - file_name = secret.get("path", "N/A") - line_number = secret.get("lineNumber", "N/A") - match_content = secret.get("type", "N/A") - - description = ( - f"**Secret ID**: {secret_id}\n" - f"**Description**: {desc}\n" - f"**File Name**: {file_name}\n" - f"**Line Number**: {line_number}\n" - f"**Match Content**: {match_content}\n" + def parse_rule_matches(rule_matches_data, test): + """ + Parses IaC rule match data into granular DefectDojo findings. + Creates one finding per rule match instance on a specific resource. + """ + findings_list = [] + if not rule_matches_data: + logger.debug("No ruleMatches data found to parse.") + return findings_list + + for rule_match in rule_matches_data: + rule = rule_match.get("rule", {}) + rule_id = rule.get("id", "N/A") + rule_name = rule.get("name", "Unnamed Rule") + # Use the severity from the ruleMatch level + severity_str = rule_match.get("severity") + severity = WizcliParsers.get_severity(severity_str) + + matches = rule_match.get("matches", []) + if not matches: + continue + + for match in matches: + resource_name = match.get("resourceName", "N/A") + file_name = match.get("fileName", "N/A") + line_number = match.get("lineNumber") # Can be None or int + match_content = match.get("matchContent", "N/A") # Code snippet + expected = match.get("expected", "N/A") + found = match.get("found", "N/A") + file_type = match.get("fileType", "IaC") # e.g., TERRAFORM, KUBERNETES + remediation = match.get("remediationInstructions") # Can be None + + # Title: IaC: Rule Name - Resource Name (e.g., IaC: S3 Bucket Logging Disabled - my-bucket) + title = f"{rule_name} - {resource_name}" + + # Description + description_parts = [ + f"**Rule**: {rule_name} (ID: `{rule_id}`)", + f"**Severity**: {severity}", + f"**Resource**: `{resource_name}`", + f"**File**: `{file_name}`", + ] + if line_number is not None: + description_parts.append(f"**Line**: {line_number}") + if match_content and match_content != "N/A": + description_parts.append(f"**Code Snippet**: ```\n{match_content}\n```") # Use markdown code block + + description_parts.extend([ + "\n**Finding Details**:", + f"- **Expected**: {expected}", + f"- **Found**: {found}", + f"- **File Type**: {file_type}", + ]) + + # Use remediationInstructions as mitigation and potentially extract reference + mitigation = remediation or "Refer to Wiz rule details and vendor documentation." + references = WizcliParsers.extract_reference_link(remediation) + + # Policy Information (from match level first, then rule level) + match_failed_policies = match.get("failedPolicies", []) + rule_failed_policies = rule_match.get("failedPolicyMatches", []) # Top level rule match policies + if match_failed_policies or rule_failed_policies: + description_parts.append("\n**Failed Policies**:") + processed_policy_ids = set() + for pol_match in match_failed_policies + rule_failed_policies: + policy = pol_match.get("policy", {}) + pol_id = policy.get("id") + if pol_id and pol_id not in processed_policy_ids: + description_parts.append(f"- {policy.get('name', 'N/A')} (ID: {pol_id})") + processed_policy_ids.add(pol_id) + + match_ignored_policies = match.get("ignoredPolicyMatches", []) + rule_ignored_policies = [] # Ignored policies seem to only be at the match level in the sample + if match_ignored_policies or rule_ignored_policies: + description_parts.append("\n**Ignored Policies**:") + processed_policy_ids = set() + for pol_match in match_ignored_policies + rule_ignored_policies: + policy = pol_match.get("policy", {}) + pol_id = policy.get("id") + reason = pol_match.get("ignoreReason", "N/A") + if pol_id and pol_id not in processed_policy_ids: + description_parts.append(f"- {policy.get('name', 'N/A')} (ID: {pol_id}), Reason: {reason}") + processed_policy_ids.add(pol_id) + + full_description = "\n".join(description_parts) + + # Generate unique ID using stable components for IAC + unique_id = WizcliParsers._generate_unique_id( + [rule_id, resource_name, file_name, str(line_number) if line_number is not None else "0"], # Only use rule ID and resource name for deduplication ) finding = Finding( - title=f"Secret: {desc}", - description=description, + test=test, + title=title, + description=full_description, severity=severity, + mitigation=mitigation, file_path=file_name, - line=line_number, + line=line_number if line_number is not None else 0, + component_name=resource_name, # Use resource name as component static_finding=True, dynamic_finding=False, - mitigation=None, - test=test, + unique_id_from_tool=unique_id, + vuln_id_from_tool=rule_id, # Use rule ID as the identifier + references=references, + active=True, # Always set as active since we don't have status from Wiz ) - findings.append(finding) - return findings + findings_list.append(finding) - @staticmethod - def parse_rule_matches(rule_matches, test): - findings = [] - if rule_matches: - for rule_match in rule_matches: - rule = rule_match.get("rule", {}) - rule_id = rule.get("id", "N/A") - rule_name = rule.get("name", "N/A") - severity = rule_match.get("severity", "low").lower().capitalize() - - matches = rule_match.get("matches", []) - if matches: - for match in matches: - resource_name = match.get("resourceName", "N/A") - file_name = match.get("fileName", "N/A") - line_number = match.get("lineNumber", "N/A") - match_content = match.get("matchContent", "N/A") - expected = match.get("expected", "N/A") - found = match.get("found", "N/A") - file_type = match.get("fileType", "N/A") - - description = ( - f"**Rule ID**: {rule_id}\n" - f"**Rule Name**: {rule_name}\n" - f"**Resource Name**: {resource_name}\n" - f"**File Name**: {file_name}\n" - f"**Line Number**: {line_number}\n" - f"**Match Content**: {match_content}\n" - f"**Expected**: {expected}\n" - f"**Found**: {found}\n" - f"**File Type**: {file_type}\n" - ) - - finding = Finding( - title=f"{rule_name} - {resource_name}", - description=description, - severity=severity, - file_path=file_name, - line=line_number, - static_finding=True, - dynamic_finding=False, - mitigation=None, - test=test, - ) - findings.append(finding) - return findings + return findings_list @staticmethod - def parse_os_packages(osPackages, test): - findings = [] - if osPackages: - for osPackage in osPackages: - pkg_name = osPackage.get("name", "N/A") - pkg_version = osPackage.get("version", "N/A") - vulnerabilities = osPackage.get("vulnerabilities", []) - - for vulnerability in vulnerabilities: - vuln_name = vulnerability.get("name", "N/A") - severity = vulnerability.get("severity", "low").lower().capitalize() - fixed_version = vulnerability.get("fixedVersion", "N/A") - source = vulnerability.get("source", "N/A") - description = vulnerability.get("description", "N/A") - score = vulnerability.get("score", "N/A") - exploitability_score = vulnerability.get("exploitabilityScore", "N/A") - has_exploit = vulnerability.get("hasExploit", False) - has_cisa_kev_exploit = vulnerability.get("hasCisaKevExploit", False) - - finding_description = ( - f"**OS Package Name**: {pkg_name}\n" - f"**OS Package Version**: {pkg_version}\n" - f"**Vulnerability Name**: {vuln_name}\n" - f"**Fixed Version**: {fixed_version}\n" - f"**Source**: {source}\n" - f"**Description**: {description}\n" - f"**Score**: {score}\n" - f"**Exploitability Score**: {exploitability_score}\n" - f"**Has Exploit**: {has_exploit}\n" - f"**Has CISA KEV Exploit**: {has_cisa_kev_exploit}\n" - ) - - finding = Finding( - title=f"{pkg_name} - {vuln_name}", - description=finding_description, - severity=severity, - static_finding=True, - dynamic_finding=False, - mitigation=None, - test=test, - ) - findings.append(finding) - return findings + def convert_status(wiz_status) -> dict: + """Convert the Wiz Status to a dict of Finding status flags.""" + if (status := wiz_status) is not None: + if status.upper() == "OPEN": + return {"active": True} + if status.upper() == "RESOLVED": + return {"active": False, "is_mitigated": True} + if status.upper() == "IGNORED": + return {"active": False, "out_of_scope": True} + if status.upper() == "IN_PROGRESS": + return {"active": True} + return {"active": True} From 30ec0e2e8e3db07e9bc5abbf1aa9f2042516d675 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Wed, 14 May 2025 17:00:45 +0400 Subject: [PATCH 05/27] improvements --- dojo/tools/wizcli_dir/parser.py | 53 ++++++++++++++++++++------- dojo/tools/wizcli_iac/parser.py | 55 ++++++++++++++++++++-------- dojo/tools/wizcli_img/parser.py | 64 ++++++++++++++++++++++++--------- 3 files changed, 130 insertions(+), 42 deletions(-) diff --git a/dojo/tools/wizcli_dir/parser.py b/dojo/tools/wizcli_dir/parser.py index fe8e6e1b13e..4abb0899543 100644 --- a/dojo/tools/wizcli_dir/parser.py +++ b/dojo/tools/wizcli_dir/parser.py @@ -1,37 +1,66 @@ import json +import logging from dojo.tools.wizcli_common_parsers.parsers import WizcliParsers +logger = logging.getLogger(__name__) + class WizcliDirParser: - """ - Wizcli Dir Scan results in JSON file format. - """ + + """Wiz CLI Directory/IaC Scan results in JSON file format.""" def get_scan_types(self): return ["Wizcli Dir Scan"] def get_label_for_scan_types(self, scan_type): - return "Wizcli Dir Scan" + return "Wiz CLI Scan (Directory)" def get_description_for_scan_types(self, scan_type): - return "Wizcli Dir Scan results in JSON file format." + return "Parses Wiz CLI Directory/IaC scan results in JSON format, creating granular findings for vulnerabilities and secrets." - def get_findings(self, filename, test): - scan_data = filename.read() + def get_findings(self, file, test): + """Processes the JSON report and returns a list of DefectDojo Finding objects.""" try: - data = json.loads(scan_data.decode("utf-8")) - except Exception: + scan_data = file.read() + if isinstance(scan_data, bytes): + # Try decoding common encodings + try: + scan_data = scan_data.decode("utf-8-sig") # Handles BOM + except UnicodeDecodeError: + scan_data = scan_data.decode("utf-8") # Fallback data = json.loads(scan_data) + except json.JSONDecodeError as e: + msg = f"Invalid JSON format: {e}" + logger.error(msg) + raise ValueError(msg) from e + except Exception as e: + msg = f"Error processing report file: {e}" + logger.error(msg) + raise ValueError(msg) from e + findings = [] - results = data.get("result", {}) + results_data = data.get("result", {}) + + if not results_data: + logger.warning("No 'result' key found in the Wiz report. Unable to parse findings.") + return findings - libraries = results.get("libraries", None) + # Parse Libraries (Vulnerabilities) + libraries = results_data.get("libraries") if libraries: + logger.debug(f"Parsing {len(libraries)} library entries.") findings.extend(WizcliParsers.parse_libraries(libraries, test)) + else: + logger.debug("No 'libraries' data found in results.") - secrets = results.get("secrets", None) + # Parse Secrets + secrets = results_data.get("secrets") if secrets: + logger.debug(f"Parsing {len(secrets)} secret entries.") findings.extend(WizcliParsers.parse_secrets(secrets, test)) + else: + logger.debug("No 'secrets' data found in results.") + logger.info(f"WizcliDirParser processed {len(findings)} findings.") return findings diff --git a/dojo/tools/wizcli_iac/parser.py b/dojo/tools/wizcli_iac/parser.py index 2caa0da7694..09ab717d8d4 100644 --- a/dojo/tools/wizcli_iac/parser.py +++ b/dojo/tools/wizcli_iac/parser.py @@ -1,37 +1,64 @@ import json +import logging -from dojo.tools.wizcli_common_parsers.parsers import WizcliParsers +from dojo.tools.wizcli_common_parsers.parsers import WizcliParsers # Adjust import path +logger = logging.getLogger(__name__) -class WizcliIaCParser: - """ - Wizcli IaC Scan results in JSON file format. - """ + +class WizcliIacParser: + + """Wiz CLI IaC Scan results in JSON file format.""" def get_scan_types(self): return ["Wizcli IaC Scan"] def get_label_for_scan_types(self, scan_type): - return "Wizcli IaC Scan" + return "Wiz CLI Scan (IaC)" def get_description_for_scan_types(self, scan_type): - return "Wizcli IaC Scan results in JSON file format." + return "Parses Wiz CLI Infrastructure as Code (IaC) scan results in JSON format." - def get_findings(self, filename, test): - scan_data = filename.read() + def get_findings(self, file, test): try: - data = json.loads(scan_data.decode("utf-8")) - except Exception: + scan_data = file.read() + if isinstance(scan_data, bytes): + try: + scan_data = scan_data.decode("utf-8-sig") + except UnicodeDecodeError: + scan_data = scan_data.decode("utf-8") data = json.loads(scan_data) + except json.JSONDecodeError as e: + msg = f"Invalid JSON format: {e}" + logger.error(msg) + raise ValueError(msg) from e + except Exception as e: + msg = f"Error processing report file: {e}" + logger.error(msg) + raise ValueError(msg) from e + findings = [] - results = data.get("result", {}) + results_data = data.get("result", {}) + + if not results_data: + logger.warning("No 'result' key found in the Wiz report.") + return findings - rule_matches = results.get("ruleMatches", None) + # Parse Rule Matches (IaC findings) + rule_matches = results_data.get("ruleMatches") if rule_matches: + logger.debug(f"Parsing {len(rule_matches)} rule match entries.") findings.extend(WizcliParsers.parse_rule_matches(rule_matches, test)) + else: + logger.debug("No 'ruleMatches' data found in results.") - secrets = results.get("secrets", None) + # Parse Secrets (if present in IaC scans) + secrets = results_data.get("secrets") if secrets: + logger.debug(f"Parsing {len(secrets)} secret entries.") findings.extend(WizcliParsers.parse_secrets(secrets, test)) + else: + logger.debug("No 'secrets' data found in results.") + logger.info(f"WizcliIacParser processed {len(findings)} findings.") return findings diff --git a/dojo/tools/wizcli_img/parser.py b/dojo/tools/wizcli_img/parser.py index 2372ff17438..31b1317d5b2 100644 --- a/dojo/tools/wizcli_img/parser.py +++ b/dojo/tools/wizcli_img/parser.py @@ -1,41 +1,73 @@ import json +import logging -from dojo.tools.wizcli_common_parsers.parsers import WizcliParsers +from dojo.tools.wizcli_common_parsers.parsers import WizcliParsers # Adjust import path + +logger = logging.getLogger(__name__) class WizcliImgParser: - """ - Wizcli Image Scan results in JSON file format. - """ + + """Wiz CLI Container Image Scan results in JSON file format.""" def get_scan_types(self): + # Use a distinct name for image scans return ["Wizcli Img Scan"] def get_label_for_scan_types(self, scan_type): - return "Wizcli Img Scan" + return "Wiz CLI Scan (Image)" def get_description_for_scan_types(self, scan_type): - return "Wizcli Img report file can be imported in JSON format." + return "Parses Wiz CLI Container Image scan results in JSON format." - def get_findings(self, filename, test): - scan_data = filename.read() + def get_findings(self, file, test): try: - data = json.loads(scan_data.decode("utf-8")) - except Exception: + scan_data = file.read() + if isinstance(scan_data, bytes): + try: + scan_data = scan_data.decode("utf-8-sig") + except UnicodeDecodeError: + scan_data = scan_data.decode("utf-8") data = json.loads(scan_data) + except json.JSONDecodeError as e: + msg = f"Invalid JSON format: {e}" + logger.error(msg) + raise ValueError(msg) from e + except Exception as e: + msg = f"Error processing report file: {e}" + logger.error(msg) + raise ValueError(msg) from e + findings = [] - results = data.get("result", {}) + results_data = data.get("result", {}) + + if not results_data: + logger.warning("No 'result' key found in the Wiz report.") + return findings - osPackages = results.get("osPackages", None) - if osPackages: - findings.extend(WizcliParsers.parse_os_packages(osPackages, test)) + # Parse OS Packages - Key difference for image scans + os_packages = results_data.get("osPackages") + if os_packages: + logger.debug(f"Parsing {len(os_packages)} OS package entries.") + findings.extend(WizcliParsers.parse_os_packages(os_packages, test)) + else: + logger.debug("No 'osPackages' data found in results.") - libraries = results.get("libraries", None) + # Parse Libraries (if present in image scans) + libraries = results_data.get("libraries") if libraries: + logger.debug(f"Parsing {len(libraries)} library entries.") findings.extend(WizcliParsers.parse_libraries(libraries, test)) + else: + logger.debug("No 'libraries' data found in results.") - secrets = results.get("secrets", None) + # Parse Secrets (if present in image scans) + secrets = results_data.get("secrets") if secrets: + logger.debug(f"Parsing {len(secrets)} secret entries.") findings.extend(WizcliParsers.parse_secrets(secrets, test)) + else: + logger.debug("No 'secrets' data found in results.") + logger.info(f"WizcliImgParser processed {len(findings)} findings.") return findings From f8dcca75c9e770948be33adf134ef0ad2d2534e7 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Wed, 14 May 2025 17:10:53 +0400 Subject: [PATCH 06/27] enabling dedup in settings.dist.py --- dojo/settings/settings.dist.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index a0f456b9edf..32ff19217e8 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1493,6 +1493,9 @@ def saml2_attrib_map_format(dict): "Kubescape JSON Importer": DEDUPE_ALGO_HASH_CODE, "Kiuwan SCA Scan": DEDUPE_ALGO_HASH_CODE, "Rapplex Scan": DEDUPE_ALGO_HASH_CODE, + "Wizcli Img Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, + "Wizcli Dir Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, + "Wizcli IAC Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, } # Override the hardcoded settings here via the env var From f7e40d3e263fb62cee8f584f64361fb8f284ff64 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Mon, 2 Jun 2025 15:48:57 +0500 Subject: [PATCH 07/27] updated unit test files --- .../scans/wizcli_dir/wizcli_dir_many_vul.json | 10886 +++++- .../scans/wizcli_dir/wizcli_dir_one_vul.json | 364 +- .../scans/wizcli_dir/wizcli_dir_zero_vul.json | 233 +- .../scans/wizcli_iac/wizcli_iac_many_vul.json | 27851 +++++++++++++++- .../scans/wizcli_iac/wizcli_iac_one_vul.json | 3607 +- .../scans/wizcli_iac/wizcli_iac_zero_vul.json | 245 +- .../scans/wizcli_img/wizcli_img_many_vul.json | 4295 ++- .../scans/wizcli_img/wizcli_img_one_vul.json | 543 +- .../scans/wizcli_img/wizcli_img_zero_vul.json | 433 +- 9 files changed, 45864 insertions(+), 2593 deletions(-) diff --git a/unittests/scans/wizcli_dir/wizcli_dir_many_vul.json b/unittests/scans/wizcli_dir/wizcli_dir_many_vul.json index f88434c87af..3e5b88deeb9 100644 --- a/unittests/scans/wizcli_dir/wizcli_dir_many_vul.json +++ b/unittests/scans/wizcli_dir/wizcli_dir_many_vul.json @@ -1,393 +1,10541 @@ { - "id": "8001ea0c-7909-431f-b49b-ea73916cc7ba", - "projects": null, - "createdAt": "2024-07-22T05:45:06.845675076Z", - "startedAt": "0001-01-01T00:00:00Z", - "createdBy": { - "serviceAccount": { - "id": "12312312312312312" - } - }, - "status": { - "state": "SUCCESS", - "verdict": "WARN_BY_POLICY" - }, - "policies": [ - { - "id": "013bb6be-50b3-408e-8fbc-7a316756affc", - "name": "Default sensitive data policy", - "description": "Default built-in policy for sensitive data scanning", - "type": "SENSITIVE_DATA", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssensitivedata", - "dataFindingSeverityThreshold": "", - "countThreshold": 0 + "id": "800143dd-bf4b-4ac1-adf0-7a51c6d5cfcf", + "projects": null, + "createdAt": "2025-05-07T09:04:41.009892445Z", + "startedAt": "0001-01-01T00:00:00Z", + "createdBy": { + "serviceAccount": { + "id": "hycyzczp25cxpbmp67mtt2cg4mcadi4doz2fey4y4bgrqmk5b2ugs" + } + }, + "status": { + "state": "SUCCESS", + "verdict": "FAILED_BY_POLICY" + }, + "policies": [ + { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + ], + "extraInfo": null, + "tags": null, + "outdatedPolicies": [], + "taggedResource": null, + "scanOriginResource": { + "__typename": "CICDScanOriginDirectory", + "name": "/builds/test.ai/security/testappsec" + }, + "result": { + "__typename": "CICDDiskScanResult", + "osPackages": null, + "libraries": [ + { + "name": "github.com/golang-jwt/jwt/v4", + "version": "4.5.1", + "path": "/settlements/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2025-30204", + "severity": "HIGH", + "fixedVersion": "4.5.2", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-mh63-6h87-95cp", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "github.com/golang-jwt/jwt/v5", + "version": "5.2.1", + "path": "/settlements/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2025-30204", + "severity": "HIGH", + "fixedVersion": "5.2.2", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-mh63-6h87-95cp", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "github.com/hashicorp/go-retryablehttp", + "version": "0.7.4", + "path": "/settlements/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-6104", + "severity": "MEDIUM", + "fixedVersion": "0.7.7", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-v6v8-xj6m-xwqh", + "description": null, + "score": 5.5, + "exploitabilityScore": 1.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "github.com/snowflakedb/gosnowflake", + "version": "1.13.0", + "path": "/settlements/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2025-46327", + "severity": "LOW", + "fixedVersion": "1.13.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-6jgm-j7h2-2fqg", + "description": null, + "score": 3.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.35.0", + "path": "/settlements/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/grpc/agreement/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/grpc/agreement/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/grpc/agreement/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/grpc/agreement/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/grpc/agreement/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/grpc/bulkreport/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/grpc/bulkreport/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/grpc/bulkreport/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/grpc/bulkreport/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/grpc/bulkreport/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/grpc/contract/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/grpc/contract/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/grpc/contract/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/grpc/contract/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/grpc/contract/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/grpc/iban/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/grpc/iban/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/grpc/iban/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/grpc/iban/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/grpc/iban/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/grpc/invoices/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/grpc/invoices/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/grpc/invoices/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/grpc/invoices/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/grpc/invoices/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/grpc/payout/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/grpc/payout/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/grpc/payout/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/grpc/payout/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/grpc/payout/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/grpc/scheduler/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/grpc/scheduler/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/grpc/scheduler/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/grpc/scheduler/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/grpc/scheduler/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/grpc/settlement/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/grpc/settlement/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/grpc/settlement/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/grpc/settlement/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/grpc/settlement/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/grpc/transactions/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/grpc/transactions/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/grpc/transactions/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] }, { - "id": "6b4ccd22-b76a-45d1-98cf-30165587d718", - "name": "Default vulnerabilities policy", - "description": "Default built-in policy", - "type": "VULNERABILITIES", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "BLOCK", - "deploymentLifecycle": "CLI" - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamsvulnerabilities", - "severity": "CRITICAL", - "packageCountThreshold": 1, - "ignoreUnfixed": true, - "packageAllowList": [], - "detectionMethods": null, - "fixGracePeriodHours": 0, - "publishGracePeriodHours": 0 - } + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/grpc/transactions/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ] }, { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/grpc/transactions/go.mod", + "vulnerabilities": [ { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null } ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } - } - ], - "extraInfo": null, - "tags": null, - "outdatedPolicies": [], - "taggedResource": null, - "scanOriginResource": { - "__typename": "CICDScanOriginDirectory", - "name": "/Users/osama/Documents/testing" - }, - "result": { - "__typename": "CICDDiskScanResult", - "osPackages": null, - "libraries": [ - { - "name": "golang.org/x/net", - "version": "0.14.0", - "path": "/grpc/proto/go.mod", - "vulnerabilities": [ - { - "name": "CVE-2023-44487", - "severity": "MEDIUM", - "fixedVersion": "0.17.0", - "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", - "description": null, - "score": 7.5, - "exploitabilityScore": 3.9, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": true, - "hasCisaKevExploit": true, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null - }, - { - "name": "CVE-2023-45288", - "severity": "MEDIUM", - "fixedVersion": "0.23.0", - "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", - "description": null, - "score": null, - "exploitabilityScore": null, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null - }, - { - "name": "CVE-2023-39325", - "severity": "HIGH", - "fixedVersion": "0.17.0", - "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", - "description": null, - "score": 7.5, - "exploitabilityScore": 3.9, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/grpc/wathq/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } } - ], - "detectionMethod": "LIBRARY", - "layerMetadata": null, - "failedPolicyMatches": [] - }, - { - "name": "google.golang.org/grpc", - "version": "1.48.0", - "path": "/grpc/proto/go.mod", - "vulnerabilities": [ - { - "name": "CVE-2023-44487", - "severity": "MEDIUM", - "fixedVersion": "1.56.3", - "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", - "description": null, - "score": 7.5, - "exploitabilityScore": 3.9, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": true, - "hasCisaKevExploit": true, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null - }, - { - "name": "GHSA-m425-mq94-257g", - "severity": "HIGH", - "fixedVersion": "1.56.3", - "source": "https://github.com/advisories/GHSA-m425-mq94-257g", - "description": null, - "score": 7.5, - "exploitabilityScore": null, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/grpc/wathq/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/grpc/wathq/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } } - ], - "detectionMethod": "LIBRARY", - "layerMetadata": null, - "failedPolicyMatches": [] - }, - { - "name": "google.golang.org/protobuf", - "version": "1.28.1", - "path": "/grpc/proto/go.mod", - "vulnerabilities": [ - { - "name": "CVE-2024-24786", - "severity": "MEDIUM", - "fixedVersion": "1.33.0", - "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", - "description": null, - "score": null, - "exploitabilityScore": null, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null + } + ] + }, + { + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/grpc/wathq/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } } - ], - "detectionMethod": "LIBRARY", - "layerMetadata": null, - "failedPolicyMatches": [] - } - ], - "applications": null, - "cpes": null, - "secrets": [ - { - "id": null, - "externalId": null, - "description": "Password in URL (postgresql://postgres:---REDACTED---@localhost:5432/postgres?)", - "path": "/testing.go", - "lineNumber": 35, - "offset": 521, - "type": "PASSWORD", - "contains": [ - { - "name": "Password", - "type": "PASSWORD" + } + ] + }, + { + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/grpc/wathq/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/net", + "version": "0.0.0-20201021035429-f5854403a974", + "path": "/settlements/pubsub/payout/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-31525", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20210428140749-89ef3d95e781", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2022-41717", + "severity": "MEDIUM", + "fixedVersion": "0.4.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-3978", + "severity": "MEDIUM", + "fixedVersion": "0.13.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-2wrh-6pvc-2jm9", + "description": null, + "score": 6.1, + "exploitabilityScore": 2.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2023-45288", + "severity": "MEDIUM", + "fixedVersion": "0.23.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", + "description": null, + "score": 5.3, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "CVE-2021-33194", + "severity": "HIGH", + "fixedVersion": "0.0.0-20210520170846-37e1c6afe023", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2021-44716", + "severity": "HIGH", + "fixedVersion": "0.0.0-20211209124913-491a49abca63", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-27664", + "severity": "HIGH", + "fixedVersion": "0.0.0-20220906165146-f3363e06e74c", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-41723", + "severity": "HIGH", + "fixedVersion": "0.7.0", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2023-39325", + "severity": "HIGH", + "fixedVersion": "0.17.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + } + ] + }, + { + "name": "golang.org/x/sys", + "version": "0.0.0-20210119212857-b64e53b001e4", + "path": "/settlements/pubsub/payout/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2022-29526", + "severity": "MEDIUM", + "fixedVersion": "0.0.0-20220412211240-33da011f77ad", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526", + "description": null, + "score": 5.3, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "golang.org/x/text", + "version": "0.3.3", + "path": "/settlements/pubsub/payout/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2021-38561", + "severity": "HIGH", + "fixedVersion": "0.3.7", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + }, + { + "name": "CVE-2022-32149", + "severity": "HIGH", + "fixedVersion": "0.3.8", + "fileRemediation": null, + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 } } - ], - "details": { - "__typename": "DiskScanSecretDetailsPassword", - "length": 8, - "isComplex": false } - } - ], - "dataFindings": null, - "vulnerableSBOMArtifactsByNameVersion": null, - "hostConfiguration": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ + ] + }, + { + "name": "google.golang.org/grpc", + "version": "1.49.0", + "path": "/settlements/pubsub/payout/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "severity": "MEDIUM", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": true, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + }, + { + "name": "GHSA-m425-mq94-257g", + "severity": "HIGH", + "fixedVersion": "1.56.3", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-m425-mq94-257g", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } } ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } } } - } - ], - "analytics": { - "vulnerabilities": { - "infoCount": 0, - "lowCount": 0, - "mediumCount": 4, - "highCount": 2, - "criticalCount": 0, - "unfixedCount": 0, - "totalCount": 0 - }, - "secrets": { - "privateKeyCount": 0, - "publicKeyCount": 0, - "passwordCount": 1, - "certificateCount": 0, - "cloudKeyCount": 0, - "sshAuthorizedKeyCount": 0, - "dbConnectionStringCount": 0, - "gitCredentialCount": 0, - "presignedURLCount": 0, - "saasAPIKeyCount": 0, - "totalCount": 1 - }, - "hostConfiguration": null, - "filesScannedCount": 34, - "directoriesScannedCount": 18 + ] + }, + { + "name": "google.golang.org/protobuf", + "version": "1.28.1", + "path": "/settlements/pubsub/payout/go.mod", + "vulnerabilities": [ + { + "name": "CVE-2024-24786", + "severity": "MEDIUM", + "fixedVersion": "1.33.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [] } + ], + "applications": null, + "cpes": null, + "secrets": null, + "dataFindings": null, + "vulnerableSBOMArtifactsByNameVersion": null, + "hostConfiguration": { + "hostConfigurationFrameworks": null, + "hostConfigurationFindings": null }, - "reportUrl": "https://app.wiz.io/findings/cicd-scans" - } - \ No newline at end of file + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "analytics": { + "vulnerabilities": { + "infoCount": 0, + "lowCount": 1, + "mediumCount": 113, + "highCount": 90, + "criticalCount": 0, + "unfixedCount": 0, + "totalCount": 0 + }, + "secrets": { + "privateKeyCount": 0, + "publicKeyCount": 0, + "passwordCount": 0, + "certificateCount": 0, + "cloudKeyCount": 0, + "sshAuthorizedKeyCount": 0, + "dbConnectionStringCount": 0, + "gitCredentialCount": 0, + "presignedURLCount": 0, + "saasAPIKeyCount": 0, + "totalCount": 0 + }, + "hostConfiguration": null, + "filesScannedCount": 1035, + "directoriesScannedCount": 379 + } + }, + "reportUrl": "https://app.wiz.io/findings/cicd-scans#%7E%28cicd_scan%7E%27800143dd-bf4b-4ac1-adf0-7a51c6d5cfcf%29" +} diff --git a/unittests/scans/wizcli_dir/wizcli_dir_one_vul.json b/unittests/scans/wizcli_dir/wizcli_dir_one_vul.json index dc0523ec00f..8f02f5ca29b 100644 --- a/unittests/scans/wizcli_dir/wizcli_dir_one_vul.json +++ b/unittests/scans/wizcli_dir/wizcli_dir_one_vul.json @@ -1,151 +1,245 @@ { - "id": "800160eb-28b3-459c-a878-1e3d195a4a10", - "projects": null, - "createdAt": "2024-07-22T06:59:56.73798427Z", - "startedAt": "0001-01-01T00:00:00Z", - "createdBy": { - "serviceAccount": { - "id": "12312312312312312" + "id": "800143dd-bf4b-4ac1-adf0-7a51c6d5cfcf", + "projects": null, + "createdAt": "2025-05-07T09:04:41.009892445Z", + "startedAt": "0001-01-01T00:00:00Z", + "createdBy": { + "serviceAccount": { + "id": "hycyzczp25cxpbmp67mtt2cg4mcadi4doz2fey4y4bgrqmk5b2ugs" + } + }, + "status": { + "state": "SUCCESS", + "verdict": "FAILED_BY_POLICY" + }, + "policies": [ + { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 } - }, - "status": { - "state": "SUCCESS", - "verdict": "PASSED_BY_POLICY" - }, - "policies": [ + } + ], + "extraInfo": null, + "tags": null, + "outdatedPolicies": [], + "taggedResource": null, + "scanOriginResource": { + "__typename": "CICDScanOriginDirectory", + "name": "/builds/test.ai/security/testappsec" + }, + "result": { + "__typename": "CICDDiskScanResult", + "osPackages": null, + "libraries": [ { - "id": "013bb6be-50b3-408e-8fbc-7a316756affc", - "name": "Default sensitive data policy", - "description": "Default built-in policy for sensitive data scanning", - "type": "SENSITIVE_DATA", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ + "name": "github.com/golang-jwt/jwt/v4", + "version": "4.5.1", + "path": "/settlements/go.mod", + "vulnerabilities": [ { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" + "name": "CVE-2025-30204", + "severity": "HIGH", + "fixedVersion": "4.5.2", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-mh63-6h87-95cp", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } + } + ], + "finding": null } ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssensitivedata", - "dataFindingSeverityThreshold": "", - "countThreshold": 0 - } - }, - { - "id": "6b4ccd22-b76a-45d1-98cf-30165587d718", - "name": "Default vulnerabilities policy", - "description": "Default built-in policy", - "type": "VULNERABILITIES", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ { - "enforcementMethod": "BLOCK", - "deploymentLifecycle": "CLI" + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } + } } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamsvulnerabilities", - "severity": "CRITICAL", - "packageCountThreshold": 1, - "ignoreUnfixed": true, - "packageAllowList": [], - "detectionMethods": null, - "fixGracePeriodHours": 0, - "publishGracePeriodHours": 0 - } + ] } ], - "extraInfo": null, - "tags": null, - "outdatedPolicies": [], - "taggedResource": null, - "scanOriginResource": { - "__typename": "CICDScanOriginDirectory", - "name": "/Users/osama/Documents/testing" + "applications": null, + "cpes": null, + "secrets": null, + "dataFindings": null, + "vulnerableSBOMArtifactsByNameVersion": null, + "hostConfiguration": { + "hostConfigurationFrameworks": null, + "hostConfigurationFindings": null }, - "result": { - "__typename": "CICDDiskScanResult", - "osPackages": null, - "libraries": [ - { - "name": "google.golang.org/protobuf", - "version": "1.28.1", - "path": "/grpc/proto/go.mod", - "vulnerabilities": [ + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "name": "CVE-2024-24786", - "severity": "MEDIUM", - "fixedVersion": "1.33.0", - "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", - "description": null, - "score": null, - "exploitabilityScore": null, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } ], - "detectionMethod": "LIBRARY", - "layerMetadata": null, - "failedPolicyMatches": [] + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 + } } - ], - "applications": null, - "cpes": null, - "secrets": null, - "dataFindings": null, - "vulnerableSBOMArtifactsByNameVersion": null, - "hostConfiguration": null, - "failedPolicyMatches": [], - "analytics": { - "vulnerabilities": { - "infoCount": 0, - "lowCount": 0, - "mediumCount": 4, - "highCount": 2, - "criticalCount": 0, - "unfixedCount": 0, - "totalCount": 0 - }, - "secrets": { - "privateKeyCount": 0, - "publicKeyCount": 0, - "passwordCount": 0, - "certificateCount": 0, - "cloudKeyCount": 0, - "sshAuthorizedKeyCount": 0, - "dbConnectionStringCount": 0, - "gitCredentialCount": 0, - "presignedURLCount": 0, - "saasAPIKeyCount": 0, - "totalCount": 0 - }, - "hostConfiguration": null, - "filesScannedCount": 35, - "directoriesScannedCount": 18 } - }, - "reportUrl": "https://app.wiz.io/findings/cicd-scans#" - } - \ No newline at end of file + ], + "analytics": { + "vulnerabilities": { + "infoCount": 0, + "lowCount": 0, + "mediumCount": 0, + "highCount": 1, + "criticalCount": 0, + "unfixedCount": 0, + "totalCount":1 + }, + "secrets": { + "privateKeyCount": 0, + "publicKeyCount": 0, + "passwordCount": 0, + "certificateCount": 0, + "cloudKeyCount": 0, + "sshAuthorizedKeyCount": 0, + "dbConnectionStringCount": 0, + "gitCredentialCount": 0, + "presignedURLCount": 0, + "saasAPIKeyCount": 0, + "totalCount": 0 + }, + "hostConfiguration": null, + "filesScannedCount": 1035, + "directoriesScannedCount": 379 + } + }, + "reportUrl": "https://app.wiz.io/findings/cicd-scans#%7E%28cicd_scan%7E%27800143dd-bf4b-4ac1-adf0-7a51c6d5cfcf%29" +} diff --git a/unittests/scans/wizcli_dir/wizcli_dir_zero_vul.json b/unittests/scans/wizcli_dir/wizcli_dir_zero_vul.json index 5451d44f199..9ae99291188 100644 --- a/unittests/scans/wizcli_dir/wizcli_dir_zero_vul.json +++ b/unittests/scans/wizcli_dir/wizcli_dir_zero_vul.json @@ -1,115 +1,136 @@ { - "id": "80019f59-f4a4-4d29-a4da-b0b15b898aa3", - "projects": null, - "createdAt": "2024-07-22T09:03:01.610132857Z", - "startedAt": "0001-01-01T00:00:00Z", - "createdBy": { - "serviceAccount": { - "id": "12312312312312312" + "id": "800143dd-bf4b-4ac1-adf0-7a51c6d5cfcf", + "projects": null, + "createdAt": "2025-05-07T09:04:41.009892445Z", + "startedAt": "0001-01-01T00:00:00Z", + "createdBy": { + "serviceAccount": { + "id": "hycyzczp25cxpbmp67mtt2cg4mcadi4doz2fey4y4bgrqmk5b2ugs" + } + }, + "status": { + "state": "SUCCESS", + "verdict": "FAILED_BY_POLICY" + }, + "policies": [ + { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 } + } + ], + "extraInfo": null, + "tags": null, + "outdatedPolicies": [], + "taggedResource": null, + "scanOriginResource": { + "__typename": "CICDScanOriginDirectory", + "name": "/builds/test.ai/security/testappsec" + }, + "result": { + "__typename": "CICDDiskScanResult", + "osPackages": null, + "libraries": null, + "applications": null, + "cpes": null, + "secrets": null, + "dataFindings": null, + "vulnerableSBOMArtifactsByNameVersion": null, + "hostConfiguration": { + "hostConfigurationFrameworks": null, + "hostConfigurationFindings": null }, - "status": { - "state": "SUCCESS", - "verdict": "PASSED_BY_POLICY" - }, - "policies": [ - { - "id": "6b4ccd22-b76a-45d1-98cf-30165587d718", - "name": "Default vulnerabilities policy", - "description": "Default built-in policy", - "type": "VULNERABILITIES", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "BLOCK", - "deploymentLifecycle": "CLI" - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamsvulnerabilities", - "severity": "CRITICAL", - "packageCountThreshold": 1, - "ignoreUnfixed": true, - "packageAllowList": [], - "detectionMethods": null, - "fixGracePeriodHours": 0, - "publishGracePeriodHours": 0 - } - }, + "failedPolicyMatches": [ { - "id": "013bb6be-50b3-408e-8fbc-7a316756affc", - "name": "Default sensitive data policy", - "description": "Default built-in policy for sensitive data scanning", - "type": "SENSITIVE_DATA", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0 } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssensitivedata", - "dataFindingSeverityThreshold": "", - "countThreshold": 0 } } ], - "extraInfo": null, - "tags": null, - "outdatedPolicies": [], - "taggedResource": null, - "scanOriginResource": { - "__typename": "CICDScanOriginDirectory", - "name": "/Users/osama/Documents/testing" - }, - "result": { - "__typename": "CICDDiskScanResult", - "osPackages": null, - "libraries": null, - "applications": null, - "cpes": null, - "secrets": null, - "dataFindings": null, - "vulnerableSBOMArtifactsByNameVersion": null, + "analytics": { + "vulnerabilities": { + "infoCount": 0, + "lowCount": 0, + "mediumCount": 0, + "highCount": 1, + "criticalCount": 0, + "unfixedCount": 0, + "totalCount":1 + }, + "secrets": { + "privateKeyCount": 0, + "publicKeyCount": 0, + "passwordCount": 0, + "certificateCount": 0, + "cloudKeyCount": 0, + "sshAuthorizedKeyCount": 0, + "dbConnectionStringCount": 0, + "gitCredentialCount": 0, + "presignedURLCount": 0, + "saasAPIKeyCount": 0, + "totalCount": 0 + }, "hostConfiguration": null, - "failedPolicyMatches": [], - "analytics": { - "vulnerabilities": { - "infoCount": 0, - "lowCount": 0, - "mediumCount": 0, - "highCount": 0, - "criticalCount": 0, - "unfixedCount": 0, - "totalCount": 0 - }, - "secrets": { - "privateKeyCount": 0, - "publicKeyCount": 0, - "passwordCount": 0, - "certificateCount": 0, - "cloudKeyCount": 0, - "sshAuthorizedKeyCount": 0, - "dbConnectionStringCount": 0, - "gitCredentialCount": 0, - "presignedURLCount": 0, - "saasAPIKeyCount": 0, - "totalCount": 0 - }, - "hostConfiguration": null, - "filesScannedCount": 0, - "directoriesScannedCount": 1 - } - }, - "reportUrl": "https://app.wiz.io/findings/cicd-scans#%7E%28cicd_scan%7E%2780019f59-f4a4-4d29-a4da-b0b15b898aa3%29" - } - \ No newline at end of file + "filesScannedCount": 1035, + "directoriesScannedCount": 379 + } + }, + "reportUrl": "https://app.wiz.io/findings/cicd-scans#%7E%28cicd_scan%7E%27800143dd-bf4b-4ac1-adf0-7a51c6d5cfcf%29" +} diff --git a/unittests/scans/wizcli_iac/wizcli_iac_many_vul.json b/unittests/scans/wizcli_iac/wizcli_iac_many_vul.json index 6e000305048..5d1602073db 100644 --- a/unittests/scans/wizcli_iac/wizcli_iac_many_vul.json +++ b/unittests/scans/wizcli_iac/wizcli_iac_many_vul.json @@ -1,1023 +1,26908 @@ { - "id": "8001bd54-1d74-44a4-97f9-b9feb9d0c0dd", - "projects": null, - "createdAt": "2024-07-16T12:17:35.187550518Z", - "startedAt": "0001-01-01T00:00:00Z", - "createdBy": { - "serviceAccount": { - "id": "12341234234123412341234" - } - }, - "status": { - "state": "SUCCESS", - "verdict": "WARN_BY_POLICY" - }, - "policies": [ - { - "id": "ce4872e0-ea52-463f-aad7-6ba1807062fa", - "name": "Default IaC policy", - "description": "Default built-in policy for Infrastructure as Code scanning", - "type": "IAC", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "ADMISSION_CONTROLLER" - }, - { - "enforcementMethod": "BLOCK", - "deploymentLifecycle": "CLI" - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamsiac", - "severityThreshold": "CRITICAL", - "countThreshold": 1, - "ignoredRules": null, - "validatableIgnoredRules": null, - "builtinIgnoreTagsEnabled": false, - "customIgnoreTags": null, - "securityFrameworks": null - } - }, - { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + "id": "80018f07-b8ec-4cb0-8159-570683fb26a8", + "projects": null, + "createdAt": "2025-05-14T10:27:25.982799496Z", + "startedAt": "2025-05-14T10:27:08.345715984Z", + "createdBy": { + "serviceAccount": { + "id": "hycyzczp25cxpbmp67mtt2cg4mcadi4doz2fey4y4bgrqmk5b2ugs" + } + }, + "status": { + "state": "SUCCESS", + "verdict": "FAILED_BY_POLICY" + }, + "policies": [ + { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER" + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null } - ], - "extraInfo": null, - "tags": null, - "outdatedPolicies": [], - "taggedResource": null, - "scanOriginResource": { - "__typename": "CICDScanOriginIAC", - "name": "IAC scan 2024-07-16T12:17:28Z", - "subTypes": [ - "DOCKERFILE", - "KUBERNETES" - ] }, - "result": { - "__typename": "CICDIACScanResult", - "failedPolicyMatches": [ + { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } - } + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" } ], - "ruleMatches": [ - { - "rule": { - "id": "4ac84116-456f-4d60-9e12-187607266faf", - "name": "Apk Add Using Local Cache Path" - }, - "severity": "INFORMATIONAL", - "failedResourceCount": 1, - "failedPolicyMatches": [], - "matches": [ - { - "failedPolicies": [], - "resourceName": "FROM={{registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest as builder}}.{{RUN apk add --update make git musl-dev gcc}}", - "fileName": "Dockerfile", - "lineNumber": 8, - "matchContent": "RUN apk add --update make git musl-dev gcc", - "expected": "'RUN' should not contain 'apk add' command without '--no-cache' switch", - "found": "'RUN' contains 'apk add' command without '--no-cache' switch", - "fileType": "DOCKERFILE", - "remediationInstructions": null, - "fileRemediation": null - } - ] - }, - { - "rule": { - "id": "ab1043e3-1eeb-4e38-9ca9-7ec0e99fe2ba", - "name": "Healthcheck Instruction Missing" - }, - "severity": "LOW", - "failedResourceCount": 1, - "failedPolicyMatches": [], - "matches": [ - { - "failedPolicies": [], - "resourceName": "FROM={{registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest}}", - "fileName": "Dockerfile", - "lineNumber": 58, - "matchContent": "FROM registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest", - "expected": "Dockerfile should contain instruction 'HEALTHCHECK'", - "found": "Dockerfile doesn't contain instruction 'HEALTHCHECK'", - "fileType": "DOCKERFILE", - "remediationInstructions": null, - "fileRemediation": null - } - ] - }, - { - "rule": { - "id": "3c7c78be-24a9-4c23-9e8c-de498371c2c5", - "name": "Multiple RUN, ADD, COPY, Instructions Listed" - }, - "severity": "LOW", - "failedResourceCount": 1, - "failedPolicyMatches": [], - "matches": [ - { - "failedPolicies": [], - "resourceName": "FROM={{registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest}}.{{COPY --from=builder /go/src/gitlab.com/evilorg.com/apid/certs/entrust_l1k.cer /usr/local/share/ca-certificates}}", - "fileName": "Dockerfile", - "lineNumber": 77, - "matchContent": "COPY --from=builder /go/src/gitlab.com/evilorg.com/apid/certs/entrust_l1k.cer /usr/local/share/ca-certificates", - "expected": "There isn´t any COPY instruction that could be grouped", - "found": "There are COPY instructions that could be grouped", - "fileType": "DOCKERFILE", - "remediationInstructions": null, - "fileRemediation": null - } - ] - }, - { - "rule": { - "id": "8fe98176-f61f-43dc-9381-f53231d807a8", - "name": "Image Version Using 'latest'" - }, - "severity": "MEDIUM", - "failedResourceCount": 2, - "failedPolicyMatches": [], - "matches": [ - { - "failedPolicies": [], - "resourceName": "FROM={{registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest as builder}}", - "fileName": "Dockerfile", - "lineNumber": 4, - "matchContent": "FROM registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest as builder", - "expected": "FROM registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest:'version' where version should not be 'latest'", - "found": "FROM registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest'", - "fileType": "DOCKERFILE", - "remediationInstructions": null, - "fileRemediation": null - }, - { - "failedPolicies": [], - "resourceName": "FROM={{registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest}}", - "fileName": "Dockerfile", - "lineNumber": 58, - "matchContent": "FROM registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest", - "expected": "FROM registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest:'version' where version should not be 'latest'", - "found": "FROM registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest'", - "fileType": "DOCKERFILE", - "remediationInstructions": null, - "fileRemediation": null - } - ] - }, - { - "rule": { - "id": "23f75d4b-1910-40df-b4f8-173d1ab045ca", - "name": "Unpinned Package Version in Apk Add" - }, - "severity": "MEDIUM", - "failedResourceCount": 2, - "failedPolicyMatches": [], - "matches": [ + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" + ], + "secretFindingSeverityThreshold": "INFORMATIONAL" + } + } + ], + "extraInfo": null, + "tags": null, + "outdatedPolicies": null, + "taggedResource": null, + "scanOriginResource": { + "__typename": "CICDScanOriginIAC", + "name": "IAC scan 2025-05-14T10:27:07Z", + "subTypes": [ + "TERRAFORM", + "KUBERNETES" + ] + }, + "result": { + "__typename": "CICDIACScanResult", + "failedPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "failedPolicies": [], - "resourceName": "FROM={{registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest as builder}}.{{RUN apk add --update make git musl-dev gcc}}", - "fileName": "Dockerfile", - "lineNumber": 8, - "matchContent": "RUN apk add --update make git musl-dev gcc", - "expected": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", - "found": "RUN instruction apk add --update make git musl-dev gcc does not use package pinning form", - "fileType": "DOCKERFILE", - "remediationInstructions": null, - "fileRemediation": null + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null }, { - "failedPolicies": [], - "resourceName": "FROM={{registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest}}.{{RUN apk add --no-cache ca-certificates make git && rm -rf /var/cache/apk/*}}", - "fileName": "Dockerfile", - "lineNumber": 62, - "matchContent": "RUN apk add --no-cache ca-certificates make git \\\n && rm -rf /var/cache/apk/*", - "expected": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", - "found": "RUN instruction apk add --no-cache ca-certificates make git && rm -rf /var/cache/apk/* does not use package pinning form", - "fileType": "DOCKERFILE", - "remediationInstructions": null, - "fileRemediation": null + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } - ] + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } }, - { - "rule": { - "id": "5855db58-e570-404d-8fb1-4c85a015d073", - "name": "Update Instruction Alone" - }, - "severity": "MEDIUM", - "failedResourceCount": 1, - "failedPolicyMatches": [], - "matches": [ - { - "failedPolicies": [], - "resourceName": "FROM={{registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest as builder}}.RUN={{apk add --update make git musl-dev gcc}}", - "fileName": "Dockerfile", - "lineNumber": 8, - "matchContent": "RUN apk add --update make git musl-dev gcc", - "expected": "Instruction 'RUN update' should be followed by 'RUN install' ", - "found": "Instruction 'RUN update' isn't followed by 'RUN install in the same 'RUN' statement", - "fileType": "DOCKERFILE", - "remediationInstructions": null, - "fileRemediation": null - } - ] + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "ruleMatches": [ + { + "rule": { + "id": "bd9e69dd-93a1-4122-900a-992135c62572", + "name": "Bucket usage logs should be enabled" }, - { - "rule": { - "id": "00a275c9-6307-4212-b5d9-e2596571edbc", - "name": "Missing User Instruction" - }, - "severity": "HIGH", - "failedResourceCount": 1, - "failedPolicyMatches": [], - "matches": [ - { - "failedPolicies": [], - "resourceName": "FROM={{registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest}}", - "fileName": "Dockerfile", - "lineNumber": 58, - "matchContent": "FROM registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest", - "expected": "The 'Dockerfile' should contain the 'USER' instruction", - "found": "The 'Dockerfile' does not contain any 'USER' instruction", - "fileType": "DOCKERFILE", - "remediationInstructions": null, - "fileRemediation": null - } - ] - } - ], - "scanStatistics": { - "infoMatches": 1, - "lowMatches": 2, - "mediumMatches": 5, - "highMatches": 1, - "criticalMatches": 0, - "totalMatches": 0, - "filesFound": 22, - "filesParsed": 22, - "queriesLoaded": 204, - "queriesExecuted": 204, - "queriesExecutionFailed": 0 - }, - "secrets": [ - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Certificate for evilorg.com", - "path": "docker-compose.yaml", - "lineNumber": 239, - "offset": 0, - "type": "CERTIFICATE", - "contains": [ - { - "name": "Passwords And Secrets - Certificate for evilorg.com", - "type": "CERTIFICATE" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + "severity": "LOW", + "failedResourceCount": 61, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[elastic-snapshots]", + "fileName": "states/dev/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"elastic-snapshots\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/dev/storage.tf", + "lineNumber": 17, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[ops-filestore]", + "fileName": "states/dev/storage.tf", + "lineNumber": 24, + "matchContent": "resource \"google_storage_bucket\" \"ops-filestore\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[axi-pgbackrest]", + "fileName": "states/dev/storage.tf", + "lineNumber": 31, + "matchContent": "resource \"google_storage_bucket\" \"axi-pgbackrest\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state]", + "fileName": "states/dev/storage.tf", + "lineNumber": 56, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 85, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gitlab-runner-caches]", + "fileName": "states/dev/storage.tf", + "lineNumber": 103, + "matchContent": "resource \"google_storage_bucket\" \"gitlab-runner-caches\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 123, + "matchContent": "resource \"google_storage_bucket\" \"test-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-settlement-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 135, + "matchContent": "resource \"google_storage_bucket\" \"test-settlement-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-chat-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 147, + "matchContent": "resource \"google_storage_bucket\" \"test-chat-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mail-attachments]", + "fileName": "states/dev/storage.tf", + "lineNumber": 167, + "matchContent": "resource \"google_storage_bucket\" \"test-mail-attachments\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[public]", + "fileName": "states/dev/storage.tf", + "lineNumber": 209, + "matchContent": "resource \"google_storage_bucket\" \"public\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-withdrawals-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 221, + "matchContent": "resource \"google_storage_bucket\" \"test-withdrawals-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-ai-models]", + "fileName": "states/dev/storage.tf", + "lineNumber": 247, + "matchContent": "resource \"google_storage_bucket\" \"test-ai-models\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[sanity-dataset-exports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 259, + "matchContent": "resource \"google_storage_bucket\" \"sanity-dataset-exports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mta-sts]", + "fileName": "states/dev/storage.tf", + "lineNumber": 277, + "matchContent": "resource \"google_storage_bucket\" \"test-mta-sts\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-customer-support]", + "fileName": "states/dev/storage.tf", + "lineNumber": 289, + "matchContent": "resource \"google_storage_bucket\" \"test-customer-support\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-merchant-dashboard-files]", + "fileName": "states/dev/storage.tf", + "lineNumber": 310, + "matchContent": "resource \"google_storage_bucket\" \"test-merchant-dashboard-files\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-athens]", + "fileName": "states/dev/storage.tf", + "lineNumber": 330, + "matchContent": "resource \"google_storage_bucket\" \"test-athens\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gcp-iam-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 350, + "matchContent": "resource \"google_storage_bucket\" \"gcp-iam-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 371, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 386, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/dev/storage.tf", + "lineNumber": 402, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-dd-state]", + "fileName": "states/dev/storage.tf", + "lineNumber": 418, + "matchContent": "resource \"google_storage_bucket\" \"terraform-dd-state\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[merchant-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 425, + "matchContent": "resource \"google_storage_bucket\" \"merchant-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-dev-merchant-assets]", + "fileName": "states/dev/storage.tf", + "lineNumber": 464, + "matchContent": "resource \"google_storage_bucket\" \"test-dev-merchant-assets\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-dev-tableau-1-backups]", + "fileName": "states/dev/storage.tf", + "lineNumber": 497, + "matchContent": "resource \"google_storage_bucket\" \"test-dev-tableau-1-backups\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/dev/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[elastic-snapshots]", + "fileName": "states/prod/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"elastic-snapshots\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/prod/storage.tf", + "lineNumber": 17, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state]", + "fileName": "states/prod/storage.tf", + "lineNumber": 33, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[datadog-logs-archive]", + "fileName": "states/prod/storage.tf", + "lineNumber": 45, + "matchContent": "resource \"google_storage_bucket\" \"datadog-logs-archive\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 63, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports-multi]", + "fileName": "states/prod/storage.tf", + "lineNumber": 81, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports-multi\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[fivetran]", + "fileName": "states/prod/storage.tf", + "lineNumber": 99, + "matchContent": "resource \"google_storage_bucket\" \"fivetran\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 126, + "matchContent": "resource \"google_storage_bucket\" \"test-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-settlement-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 138, + "matchContent": "resource \"google_storage_bucket\" \"test-settlement-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-chat-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 150, + "matchContent": "resource \"google_storage_bucket\" \"test-chat-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-m2p-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 170, + "matchContent": "resource \"google_storage_bucket\" \"test-m2p-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mail-attachments]", + "fileName": "states/prod/storage.tf", + "lineNumber": 182, + "matchContent": "resource \"google_storage_bucket\" \"test-mail-attachments\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-static]", + "fileName": "states/prod/storage.tf", + "lineNumber": 204, + "matchContent": "resource \"google_storage_bucket\" \"test-static\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-withdrawals-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 216, + "matchContent": "resource \"google_storage_bucket\" \"test-withdrawals-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-ai-models]", + "fileName": "states/prod/storage.tf", + "lineNumber": 241, + "matchContent": "resource \"google_storage_bucket\" \"test-ai-models\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[sanity-dataset-exports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 253, + "matchContent": "resource \"google_storage_bucket\" \"sanity-dataset-exports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-clevertap-export]", + "fileName": "states/prod/storage.tf", + "lineNumber": 270, + "matchContent": "resource \"google_storage_bucket\" \"test-clevertap-export\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-crm]", + "fileName": "states/prod/storage.tf", + "lineNumber": 290, + "matchContent": "resource \"google_storage_bucket\" \"test-crm\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-customer-support]", + "fileName": "states/prod/storage.tf", + "lineNumber": 302, + "matchContent": "resource \"google_storage_bucket\" \"test-customer-support\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-prod-ciso-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 324, + "matchContent": "resource \"google_storage_bucket\" \"test-prod-ciso-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 336, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gcp-iam-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 351, + "matchContent": "resource \"google_storage_bucket\" \"gcp-iam-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 372, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/prod/storage.tf", + "lineNumber": 388, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-merchant-dashboard-files]", + "fileName": "states/prod/storage.tf", + "lineNumber": 404, + "matchContent": "resource \"google_storage_bucket\" \"test-merchant-dashboard-files\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[feeds]", + "fileName": "states/prod/storage.tf", + "lineNumber": 424, + "matchContent": "resource \"google_storage_bucket\" \"feeds\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[axi-pgbackrest]", + "fileName": "states/prod/storage.tf", + "lineNumber": 445, + "matchContent": "resource \"google_storage_bucket\" \"axi-pgbackrest\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/prod/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 19, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 37, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 53, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/sandbox/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "ac976d3f-d8e4-4072-9843-703da3997d00", + "name": "Container CPU Requests Not Equal To Its Limits" + }, + "severity": "LOW", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.resources.limits", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 11, + "matchContent": " limits:", + "expected": "spec.containers[my-gpu-container].resources.limits.cpu should be defined", + "found": "spec.containers[my-gpu-container].resources.limits.cpu is not defined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "5b9385c6-0f6b-4baf-9966-493b74faab54", + "name": "Container memory requests not equal to its Limits" + }, + "severity": "LOW", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.resources.limits", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 11, + "matchContent": " limits:", + "expected": "spec.containers[my-gpu-container].resources.limits.memory should be defined", + "found": "spec.containers[my-gpu-container].resources.limits.memory is not defined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "b58fdefa-96b7-43b4-8fd8-49e2a3087b58", + "name": "GKE cluster basic authentication should be disabled" + }, + "severity": "LOW", + "failedResourceCount": 4, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/dev/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'master_auth' should be defined", + "found": "Attribute 'master_auth' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/dp/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'master_auth' should be defined", + "found": "Attribute 'master_auth' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/prod/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'master_auth' should be defined", + "found": "Attribute 'master_auth' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'master_auth' should be defined", + "found": "Attribute 'master_auth' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "969582ad-de14-4a49-af1d-cffa5c4c242c", + "name": "GKE cluster network policy should be enabled" + }, + "severity": "LOW", + "failedResourceCount": 4, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/dev/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Both 'network_policy' and 'addons_config' should be defined", + "found": "'network_policy' or 'addons_config' are not be defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/dp/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Both 'network_policy' and 'addons_config' should be defined", + "found": "'network_policy' or 'addons_config' are not be defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/prod/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Both 'network_policy' and 'addons_config' should be defined", + "found": "'network_policy' or 'addons_config' are not be defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Both 'network_policy' and 'addons_config' should be defined", + "found": "'network_policy' or 'addons_config' are not be defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "9a37c502-9fc2-45e1-80e5-8d1f33fb7c7c", + "name": "GKE cluster node auto-upgrade should be enabled" + }, + "severity": "LOW", + "failedResourceCount": 18, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool-review]", + "fileName": "states/dev/gke.tf", + "lineNumber": 51, + "matchContent": "resource \"google_container_node_pool\" \"app-pool-review\" {", + "expected": "google_container_node_pool.management should be defined and not null", + "found": "google_container_node_pool.management is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool-review-spot-2].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 121, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[review-infra].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 160, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[review-infra-2].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 198, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool-stage-v2].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 241, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[debezium-pool].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 284, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[infra-pool-v3].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 333, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[istio-pool].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 382, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[argocd-pool].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 431, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[build-pool-v2].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 483, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[android-build-pool].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 528, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[gke-pool].management.auto_upgrade", + "fileName": "states/dev/gke.tf", + "lineNumber": 573, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool]", + "fileName": "states/dp/gke.tf", + "lineNumber": 47, + "matchContent": "resource \"google_container_node_pool\" \"app-pool\" {", + "expected": "google_container_node_pool.management should be defined and not null", + "found": "google_container_node_pool.management is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[infra-pool-v2].management.auto_upgrade", + "fileName": "states/prod/gke.tf", + "lineNumber": 92, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[dbz-pool-v2].management.auto_upgrade", + "fileName": "states/prod/gke.tf", + "lineNumber": 139, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[gnr-pool].management.auto_upgrade", + "fileName": "states/prod/gke.tf", + "lineNumber": 228, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool-prod-v4].management.auto_upgrade", + "fileName": "states/prod/gke.tf", + "lineNumber": 274, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[gke-pool-v2].management.auto_upgrade", + "fileName": "states/prod/gke.tf", + "lineNumber": 363, + "matchContent": " auto_upgrade = false", + "expected": "management.auto_upgrade should be true", + "found": "management.auto_upgrade is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "dbc44a88-8924-4d59-aa16-608fbff38b21", + "name": "GKE cluster nodes auto-repair should be enabled" + }, + "severity": "LOW", + "failedResourceCount": 2, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool-review].management", + "fileName": "states/dev/gke.tf", + "lineNumber": 120, + "matchContent": " management {", + "expected": "google_container_node_pool[app-pool-review].management.auto_repair should be defined and not null", + "found": "google_container_node_pool[app-pool-review].management.auto_repair is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool].management", + "fileName": "states/dp/gke.tf", + "lineNumber": 47, + "matchContent": "resource \"google_container_node_pool\" \"app-pool\" {", + "expected": "google_container_node_pool[app-pool].management.auto_repair should be defined and not null", + "found": "google_container_node_pool[app-pool].management.auto_repair is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "7f6631eb-45ac-4fbd-b7a4-d38a9d84b622", + "name": "GKE cluster should have a Pod Security Policy enabled" + }, + "severity": "LOW", + "failedResourceCount": 4, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/dev/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'pod_security_policy_config' should be defined", + "found": "Attribute 'pod_security_policy_config' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/dp/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'pod_security_policy_config' should be defined", + "found": "Attribute 'pod_security_policy_config' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/prod/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'pod_security_policy_config' should be defined", + "found": "Attribute 'pod_security_policy_config' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'pod_security_policy_config' should be defined", + "found": "Attribute 'pod_security_policy_config' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "1364fd5c-6df0-4c65-af0c-68fa8cd6e273", + "name": "GKE cluster should have label information" + }, + "severity": "LOW", + "failedResourceCount": 4, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/dev/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'resource_labels' should be defined", + "found": "Attribute 'resource_labels' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/dp/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'resource_labels' should be defined", + "found": "Attribute 'resource_labels' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/prod/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'resource_labels' should be defined", + "found": "Attribute 'resource_labels' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "Attribute 'resource_labels' should be defined", + "found": "Attribute 'resource_labels' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "71bdf996-adb0-401f-9af5-0f2e2ac4b60f", + "name": "Image Pull Policy Of The Container Is Not Set To Always" + }, + "severity": "LOW", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.imagePullPolicy", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.imagePullPolicy should be set to 'Always'", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.imagePullPolicy relies on mutable images in cache", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "f4e5f2c7-79d1-4338-bdd4-ddbdd2b864e7", + "name": "Image Without Digest" + }, + "severity": "LOW", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.image", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 8, + "matchContent": " image: nvidia/cuda:11.0.3-runtime-ubuntu20.04", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.image should specify the image with a digest", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.image does not include an image digest", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "86851e2f-4605-4572-b87a-2ad8c62290d8", + "name": "Kubernetes Resource without ResourceQuota" + }, + "severity": "LOW", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 4, + "matchContent": " name: my-gpu-pod", + "expected": "metadata.name={{my-gpu-pod}} has a 'ResourceQuota' policy associated", + "found": "metadata.name={{my-gpu-pod}} does not have a 'ResourceQuota' policy associated", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "c9bf2e41-95ea-46bd-b611-1d3c31534abc", + "name": "Missing App Armor Config" + }, + "severity": "LOW", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 4, + "matchContent": " name: my-gpu-pod", + "expected": "metadata.name={{my-gpu-pod}}.annotations should specify an AppArmor profile for container {{my-gpu-container}}", + "found": "metadata.name={{my-gpu-pod}}.annotations does not specify an AppArmor profile for container {{my-gpu-container}}", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "6e4dfecc-5dde-4f19-9de7-4407a0995d36", + "name": "New disks should be encrypted with CSEK" + }, + "severity": "LOW", + "failedResourceCount": 2, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_compute_disk[broker]", + "fileName": "modules/confluent-platform/storage.tf", + "lineNumber": 7, + "matchContent": "resource \"google_compute_disk\" \"broker\" {", + "expected": "'google_compute_disk[broker].disk_encryption_key' should be defined and not null", + "found": "'google_compute_disk[broker].disk_encryption_key' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_disk\" \"example_disk\" {\n disk_encryption_key {\n kms_key_self_link = \"\" // Add your KMS key \n }\n}\n// You can also configure \"raw_key\" or \"rsa_encrypted_key\" instead of \"kms_key_self_link\"\n", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_disk[zookeeper]", + "fileName": "modules/confluent-platform/storage.tf", + "lineNumber": 27, + "matchContent": "resource \"google_compute_disk\" \"zookeeper\" {", + "expected": "'google_compute_disk[zookeeper].disk_encryption_key' should be defined and not null", + "found": "'google_compute_disk[zookeeper].disk_encryption_key' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_disk\" \"example_disk\" {\n disk_encryption_key {\n kms_key_self_link = \"\" // Add your KMS key \n }\n}\n// You can also configure \"raw_key\" or \"rsa_encrypted_key\" instead of \"kms_key_self_link\"\n", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "ee47154d-5ab0-4354-bcdf-0738b49f8edb", + "name": "No Drop Capabilities for Containers" + }, + "severity": "LOW", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name=my-gpu-container", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name=my-gpu-container.securityContext should be set", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name=my-gpu-container.securityContext is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "e29ade5b-173a-4584-adde-a0bbb7a792d3", + "name": "Pod or Container Without LimitRange" + }, + "severity": "LOW", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 4, + "matchContent": " name: my-gpu-pod", + "expected": "metadata.name={{my-gpu-pod}} has a 'LimitRange' policy associated", + "found": "metadata.name={{my-gpu-pod}} does not have a 'LimitRange' policy associated", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "b14bddae-c575-4873-830f-158725763010", + "name": "Pod or Container Without Security Context" + }, + "severity": "LOW", + "failedResourceCount": 2, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 5, + "matchContent": "spec:", + "expected": "metadata.name={{my-gpu-pod}}.spec has a security context", + "found": "metadata.name={{my-gpu-pod}}.spec does not have a security context", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name=my-gpu-container", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "spec.containers.name=my-gpu-container has a security context", + "found": "spec.containers.name=my-gpu-container does not have a security context", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "c19509ef-ee5d-4e2d-8710-a860cfa0c095", + "name": "Pod should not allow container privilege escalation (PSS Restricted)" + }, + "severity": "LOW", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.allowPrivilegeEscalation is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "b022c49b-b588-4c70-bf1c-f1039c4cde0f", + "name": "Pod should not run containers with any additional capabilities except NET_BIND_SERVICE (PSS Restricted)" + }, + "severity": "LOW", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.capabilities", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "'metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.capabilities.drop' is not set or not set to 'ALL'", + "found": "'metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.capabilities.drop' should be set to 'ALL'", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "700bef76-3c6a-4430-99c1-881623ff4b2c", + "name": "Service Account should not have Admin privileges" + }, + "severity": "LOW", + "failedResourceCount": 5, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_project_iam_member[storage_objectAdmin].role", + "fileName": "states/dp/iam.tf", + "lineNumber": 3, + "matchContent": " role = \"roles/storage.objectAdmin\"", + "expected": "google_project_iam_member[storage_objectAdmin].role should not have admin, editor, owner, or write privileges for service account member", + "found": "google_project_iam_member[storage_objectAdmin].role has admin, editor, owner, or write privilege for service account member", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_project_iam_member[gke-operator-storage_objectAdmin].role", + "fileName": "states/dp/iam.tf", + "lineNumber": 9, + "matchContent": " role = \"roles/storage.objectAdmin\"", + "expected": "google_project_iam_member[gke-operator-storage_objectAdmin].role should not have admin, editor, owner, or write privileges for service account member", + "found": "google_project_iam_member[gke-operator-storage_objectAdmin].role has admin, editor, owner, or write privilege for service account member", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_project_iam_member[tb-sync-storage_objectAdmin].role", + "fileName": "states/dp/iam.tf", + "lineNumber": 15, + "matchContent": " role = \"roles/storage.objectAdmin\"", + "expected": "google_project_iam_member[tb-sync-storage_objectAdmin].role should not have admin, editor, owner, or write privileges for service account member", + "found": "google_project_iam_member[tb-sync-storage_objectAdmin].role has admin, editor, owner, or write privilege for service account member", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_project_iam_binding[pub-sub-editor].role", + "fileName": "states/dp/iam.tf", + "lineNumber": 21, + "matchContent": " role = \"roles/pubsub.editor\"", + "expected": "google_project_iam_binding[pub-sub-editor].role should not have admin, editor, owner, or write privileges for service account member", + "found": "google_project_iam_binding[pub-sub-editor].role has admin, editor, owner, or write privilege for service account member", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_project_iam_binding[bigquery-editor].role", + "fileName": "states/dp/iam.tf", + "lineNumber": 35, + "matchContent": " role = \"roles/bigquery.dataEditor\"", + "expected": "google_project_iam_binding[bigquery-editor].role should not have admin, editor, owner, or write privileges for service account member", + "found": "google_project_iam_binding[bigquery-editor].role has admin, editor, owner, or write privilege for service account member", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "e34d07d1-4a26-4334-a081-10203adaf5fe", + "name": "VPC Flow Logs should be enabled for traffic logging" + }, + "severity": "LOW", + "failedResourceCount": 15, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[subnet]", + "fileName": "states/dev/vpc.tf", + "lineNumber": 6, + "matchContent": "resource \"google_compute_subnetwork\" \"subnet\" {", + "expected": "'google_compute_subnetwork[subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[infra-subnet]", + "fileName": "states/dev/vpc.tf", + "lineNumber": 14, + "matchContent": "resource \"google_compute_subnetwork\" \"infra-subnet\" {", + "expected": "'google_compute_subnetwork[infra-subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[infra-subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[axilink-subnet]", + "fileName": "states/dev/vpc.tf", + "lineNumber": 22, + "matchContent": "resource \"google_compute_subnetwork\" \"axilink-subnet\" {", + "expected": "'google_compute_subnetwork[axilink-subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[axilink-subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[internal_proxy_subnet]", + "fileName": "states/dev/vpc.tf", + "lineNumber": 30, + "matchContent": "resource \"google_compute_subnetwork\" \"internal_proxy_subnet\" {", + "expected": "'google_compute_subnetwork[internal_proxy_subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[internal_proxy_subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[subnet]", + "fileName": "states/dp/vpc.tf", + "lineNumber": 21, + "matchContent": "resource \"google_compute_subnetwork\" \"subnet\" {", + "expected": "'google_compute_subnetwork[subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[subnet]", + "fileName": "states/dwh/vpc.tf", + "lineNumber": 21, + "matchContent": "resource \"google_compute_subnetwork\" \"subnet\" {", + "expected": "'google_compute_subnetwork[subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[subnet-europe-west3]", + "fileName": "states/dwh/vpc.tf", + "lineNumber": 30, + "matchContent": "resource \"google_compute_subnetwork\" \"subnet-europe-west3\" {", + "expected": "'google_compute_subnetwork[subnet-europe-west3].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[subnet-europe-west3].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[infra-subnet]", + "fileName": "states/prod/vpc.tf", + "lineNumber": 20, + "matchContent": "resource \"google_compute_subnetwork\" \"infra-subnet\" {", + "expected": "'google_compute_subnetwork[infra-subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[infra-subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[axilink-subnet]", + "fileName": "states/prod/vpc.tf", + "lineNumber": 28, + "matchContent": "resource \"google_compute_subnetwork\" \"axilink-subnet\" {", + "expected": "'google_compute_subnetwork[axilink-subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[axilink-subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[test-prod-axilink-subnet-mc2]", + "fileName": "states/prod/vpc.tf", + "lineNumber": 36, + "matchContent": "resource \"google_compute_subnetwork\" \"test-prod-axilink-subnet-mc2\" {", + "expected": "'google_compute_subnetwork[test-prod-axilink-subnet-mc2].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[test-prod-axilink-subnet-mc2].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[internal_proxy_subnet]", + "fileName": "states/prod/vpc.tf", + "lineNumber": 52, + "matchContent": "resource \"google_compute_subnetwork\" \"internal_proxy_subnet\" {", + "expected": "'google_compute_subnetwork[internal_proxy_subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[internal_proxy_subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[subnet]", + "fileName": "states/sandbox/vpc.tf", + "lineNumber": 6, + "matchContent": "resource \"google_compute_subnetwork\" \"subnet\" {", + "expected": "'google_compute_subnetwork[subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[subnet]", + "fileName": "states/test-dp-dev/vpc.tf", + "lineNumber": 15, + "matchContent": "resource \"google_compute_subnetwork\" \"subnet\" {", + "expected": "'google_compute_subnetwork[subnet].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[subnet].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[subnet-risk]", + "fileName": "states/test-dp-dev/vpc.tf", + "lineNumber": 23, + "matchContent": "resource \"google_compute_subnetwork\" \"subnet-risk\" {", + "expected": "'google_compute_subnetwork[subnet-risk].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[subnet-risk].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_subnetwork[subnet-ds]", + "fileName": "states/test-dp-dev/vpc.tf", + "lineNumber": 31, + "matchContent": "resource \"google_compute_subnetwork\" \"subnet-ds\" {", + "expected": "'google_compute_subnetwork[subnet-ds].log_config' should be defined and not null", + "found": "'google_compute_subnetwork[subnet-ds].log_config' is undefined, null, or empty array", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "81a88a63-ea2b-4168-bca4-065cb5abff42", + "name": "BigQuery dataset should be configured with a default customer-managed key" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_bigquery_dataset[prod_checkout]", + "fileName": "states/prod/bigquery.tf", + "lineNumber": 77, + "matchContent": "resource \"google_bigquery_dataset\" \"prod_checkout\" {", + "expected": "'google_bigquery_dataset[prod_checkout].default_encryption_configuration.kms_key_name' should be defined", + "found": "'google_bigquery_dataset[prod_checkout].default_encryption_configuration' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "c0f012b4-38fb-4ef3-9b85-95479755a283", + "name": "Bucket should be encrypted with a customer-managed key" + }, + "severity": "MEDIUM", + "failedResourceCount": 61, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[elastic-snapshots]", + "fileName": "states/dev/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"elastic-snapshots\" {", + "expected": "google_storage_bucket[elastic-snapshots].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[elastic-snapshots].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/dev/storage.tf", + "lineNumber": 17, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "google_storage_bucket[vault-store].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[vault-store].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[ops-filestore]", + "fileName": "states/dev/storage.tf", + "lineNumber": 24, + "matchContent": "resource \"google_storage_bucket\" \"ops-filestore\" {", + "expected": "google_storage_bucket[ops-filestore].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[ops-filestore].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[axi-pgbackrest]", + "fileName": "states/dev/storage.tf", + "lineNumber": 31, + "matchContent": "resource \"google_storage_bucket\" \"axi-pgbackrest\" {", + "expected": "google_storage_bucket[axi-pgbackrest].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[axi-pgbackrest].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state]", + "fileName": "states/dev/storage.tf", + "lineNumber": 56, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state\" {", + "expected": "google_storage_bucket[terraform-state].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[terraform-state].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 85, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports\" {", + "expected": "google_storage_bucket[cloud-sql-exports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[cloud-sql-exports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gitlab-runner-caches]", + "fileName": "states/dev/storage.tf", + "lineNumber": 103, + "matchContent": "resource \"google_storage_bucket\" \"gitlab-runner-caches\" {", + "expected": "google_storage_bucket[gitlab-runner-caches].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[gitlab-runner-caches].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 123, + "matchContent": "resource \"google_storage_bucket\" \"test-reports\" {", + "expected": "google_storage_bucket[test-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-settlement-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 135, + "matchContent": "resource \"google_storage_bucket\" \"test-settlement-reports\" {", + "expected": "google_storage_bucket[test-settlement-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-settlement-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-chat-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 147, + "matchContent": "resource \"google_storage_bucket\" \"test-chat-reports\" {", + "expected": "google_storage_bucket[test-chat-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-chat-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mail-attachments]", + "fileName": "states/dev/storage.tf", + "lineNumber": 167, + "matchContent": "resource \"google_storage_bucket\" \"test-mail-attachments\" {", + "expected": "google_storage_bucket[test-mail-attachments].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-mail-attachments].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[public]", + "fileName": "states/dev/storage.tf", + "lineNumber": 209, + "matchContent": "resource \"google_storage_bucket\" \"public\" {", + "expected": "google_storage_bucket[public].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[public].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-withdrawals-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 221, + "matchContent": "resource \"google_storage_bucket\" \"test-withdrawals-reports\" {", + "expected": "google_storage_bucket[test-withdrawals-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-withdrawals-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-ai-models]", + "fileName": "states/dev/storage.tf", + "lineNumber": 247, + "matchContent": "resource \"google_storage_bucket\" \"test-ai-models\" {", + "expected": "google_storage_bucket[test-ai-models].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-ai-models].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[sanity-dataset-exports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 259, + "matchContent": "resource \"google_storage_bucket\" \"sanity-dataset-exports\" {", + "expected": "google_storage_bucket[sanity-dataset-exports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[sanity-dataset-exports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mta-sts]", + "fileName": "states/dev/storage.tf", + "lineNumber": 277, + "matchContent": "resource \"google_storage_bucket\" \"test-mta-sts\" {", + "expected": "google_storage_bucket[test-mta-sts].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-mta-sts].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-customer-support]", + "fileName": "states/dev/storage.tf", + "lineNumber": 289, + "matchContent": "resource \"google_storage_bucket\" \"test-customer-support\" {", + "expected": "google_storage_bucket[test-customer-support].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-customer-support].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-merchant-dashboard-files]", + "fileName": "states/dev/storage.tf", + "lineNumber": 310, + "matchContent": "resource \"google_storage_bucket\" \"test-merchant-dashboard-files\" {", + "expected": "google_storage_bucket[test-merchant-dashboard-files].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-merchant-dashboard-files].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-athens]", + "fileName": "states/dev/storage.tf", + "lineNumber": 330, + "matchContent": "resource \"google_storage_bucket\" \"test-athens\" {", + "expected": "google_storage_bucket[test-athens].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-athens].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gcp-iam-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 350, + "matchContent": "resource \"google_storage_bucket\" \"gcp-iam-backup\" {", + "expected": "google_storage_bucket[gcp-iam-backup].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[gcp-iam-backup].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 371, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "google_storage_bucket[terraform-state-backup].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[terraform-state-backup].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 386, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "google_storage_bucket[vault-store-backup].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[vault-store-backup].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/dev/storage.tf", + "lineNumber": 402, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "google_storage_bucket[vault-store-backups].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[vault-store-backups].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-dd-state]", + "fileName": "states/dev/storage.tf", + "lineNumber": 418, + "matchContent": "resource \"google_storage_bucket\" \"terraform-dd-state\" {", + "expected": "google_storage_bucket[terraform-dd-state].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[terraform-dd-state].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[merchant-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 425, + "matchContent": "resource \"google_storage_bucket\" \"merchant-reports\" {", + "expected": "google_storage_bucket[merchant-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[merchant-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-dev-merchant-assets]", + "fileName": "states/dev/storage.tf", + "lineNumber": 464, + "matchContent": "resource \"google_storage_bucket\" \"test-dev-merchant-assets\" {", + "expected": "google_storage_bucket[test-dev-merchant-assets].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-dev-merchant-assets].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-dev-tableau-1-backups]", + "fileName": "states/dev/storage.tf", + "lineNumber": 497, + "matchContent": "resource \"google_storage_bucket\" \"test-dev-tableau-1-backups\" {", + "expected": "google_storage_bucket[test-dev-tableau-1-backups].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-dev-tableau-1-backups].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/dev/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "google_storage_bucket[velero].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[velero].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[elastic-snapshots]", + "fileName": "states/prod/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"elastic-snapshots\" {", + "expected": "google_storage_bucket[elastic-snapshots].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[elastic-snapshots].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/prod/storage.tf", + "lineNumber": 17, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "google_storage_bucket[vault-store].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[vault-store].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state]", + "fileName": "states/prod/storage.tf", + "lineNumber": 33, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state\" {", + "expected": "google_storage_bucket[terraform-state].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[terraform-state].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[datadog-logs-archive]", + "fileName": "states/prod/storage.tf", + "lineNumber": 45, + "matchContent": "resource \"google_storage_bucket\" \"datadog-logs-archive\" {", + "expected": "google_storage_bucket[datadog-logs-archive].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[datadog-logs-archive].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 63, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports\" {", + "expected": "google_storage_bucket[cloud-sql-exports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[cloud-sql-exports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports-multi]", + "fileName": "states/prod/storage.tf", + "lineNumber": 81, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports-multi\" {", + "expected": "google_storage_bucket[cloud-sql-exports-multi].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[cloud-sql-exports-multi].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[fivetran]", + "fileName": "states/prod/storage.tf", + "lineNumber": 99, + "matchContent": "resource \"google_storage_bucket\" \"fivetran\" {", + "expected": "google_storage_bucket[fivetran].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[fivetran].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 126, + "matchContent": "resource \"google_storage_bucket\" \"test-reports\" {", + "expected": "google_storage_bucket[test-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-settlement-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 138, + "matchContent": "resource \"google_storage_bucket\" \"test-settlement-reports\" {", + "expected": "google_storage_bucket[test-settlement-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-settlement-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-chat-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 150, + "matchContent": "resource \"google_storage_bucket\" \"test-chat-reports\" {", + "expected": "google_storage_bucket[test-chat-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-chat-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-m2p-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 170, + "matchContent": "resource \"google_storage_bucket\" \"test-m2p-reports\" {", + "expected": "google_storage_bucket[test-m2p-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-m2p-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mail-attachments]", + "fileName": "states/prod/storage.tf", + "lineNumber": 182, + "matchContent": "resource \"google_storage_bucket\" \"test-mail-attachments\" {", + "expected": "google_storage_bucket[test-mail-attachments].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-mail-attachments].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-static]", + "fileName": "states/prod/storage.tf", + "lineNumber": 204, + "matchContent": "resource \"google_storage_bucket\" \"test-static\" {", + "expected": "google_storage_bucket[test-static].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-static].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-withdrawals-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 216, + "matchContent": "resource \"google_storage_bucket\" \"test-withdrawals-reports\" {", + "expected": "google_storage_bucket[test-withdrawals-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-withdrawals-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-ai-models]", + "fileName": "states/prod/storage.tf", + "lineNumber": 241, + "matchContent": "resource \"google_storage_bucket\" \"test-ai-models\" {", + "expected": "google_storage_bucket[test-ai-models].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-ai-models].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[sanity-dataset-exports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 253, + "matchContent": "resource \"google_storage_bucket\" \"sanity-dataset-exports\" {", + "expected": "google_storage_bucket[sanity-dataset-exports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[sanity-dataset-exports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-clevertap-export]", + "fileName": "states/prod/storage.tf", + "lineNumber": 270, + "matchContent": "resource \"google_storage_bucket\" \"test-clevertap-export\" {", + "expected": "google_storage_bucket[test-clevertap-export].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-clevertap-export].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-crm]", + "fileName": "states/prod/storage.tf", + "lineNumber": 290, + "matchContent": "resource \"google_storage_bucket\" \"test-crm\" {", + "expected": "google_storage_bucket[test-crm].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-crm].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-customer-support]", + "fileName": "states/prod/storage.tf", + "lineNumber": 302, + "matchContent": "resource \"google_storage_bucket\" \"test-customer-support\" {", + "expected": "google_storage_bucket[test-customer-support].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-customer-support].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-prod-ciso-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 324, + "matchContent": "resource \"google_storage_bucket\" \"test-prod-ciso-reports\" {", + "expected": "google_storage_bucket[test-prod-ciso-reports].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-prod-ciso-reports].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 336, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "google_storage_bucket[terraform-state-backup].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[terraform-state-backup].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gcp-iam-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 351, + "matchContent": "resource \"google_storage_bucket\" \"gcp-iam-backup\" {", + "expected": "google_storage_bucket[gcp-iam-backup].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[gcp-iam-backup].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 372, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "google_storage_bucket[vault-store-backup].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[vault-store-backup].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/prod/storage.tf", + "lineNumber": 388, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "google_storage_bucket[vault-store-backups].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[vault-store-backups].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-merchant-dashboard-files]", + "fileName": "states/prod/storage.tf", + "lineNumber": 404, + "matchContent": "resource \"google_storage_bucket\" \"test-merchant-dashboard-files\" {", + "expected": "google_storage_bucket[test-merchant-dashboard-files].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[test-merchant-dashboard-files].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[feeds]", + "fileName": "states/prod/storage.tf", + "lineNumber": 424, + "matchContent": "resource \"google_storage_bucket\" \"feeds\" {", + "expected": "google_storage_bucket[feeds].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[feeds].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[axi-pgbackrest]", + "fileName": "states/prod/storage.tf", + "lineNumber": 445, + "matchContent": "resource \"google_storage_bucket\" \"axi-pgbackrest\" {", + "expected": "google_storage_bucket[axi-pgbackrest].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[axi-pgbackrest].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/prod/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "google_storage_bucket[velero].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[velero].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "google_storage_bucket[vault-store].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[vault-store].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 19, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "google_storage_bucket[terraform-state-backup].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[terraform-state-backup].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 37, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "google_storage_bucket[vault-store-backup].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[vault-store-backup].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 53, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "google_storage_bucket[vault-store-backups].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[vault-store-backups].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/sandbox/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "google_storage_bucket[velero].encryption.default_kms_key_name should be defined and not null", + "found": "google_storage_bucket[velero].encryption.default_kms_key_name is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "86181e36-f237-4a58-96a2-864d0b9af170", + "name": "Bucket uniform bucket-level access should be enabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 5, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-withdrawals-reports].uniform_bucket_level_access", + "fileName": "states/dev/storage.tf", + "lineNumber": 225, + "matchContent": " uniform_bucket_level_access = false", + "expected": "google_storage_bucket[test-withdrawals-reports].uniform_bucket_level_access should be true", + "found": "google_storage_bucket[test-withdrawals-reports].uniform_bucket_level_access is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[merchant-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 425, + "matchContent": "resource \"google_storage_bucket\" \"merchant-reports\" {", + "expected": "google_storage_bucket[merchant-reports].uniform_bucket_level_access should be defined and not null", + "found": "google_storage_bucket[merchant-reports].uniform_bucket_level_access is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-dev-merchant-assets]", + "fileName": "states/dev/storage.tf", + "lineNumber": 464, + "matchContent": "resource \"google_storage_bucket\" \"test-dev-merchant-assets\" {", + "expected": "google_storage_bucket[test-dev-merchant-assets].uniform_bucket_level_access should be defined and not null", + "found": "google_storage_bucket[test-dev-merchant-assets].uniform_bucket_level_access is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[fivetran].uniform_bucket_level_access", + "fileName": "states/prod/storage.tf", + "lineNumber": 103, + "matchContent": " uniform_bucket_level_access = false", + "expected": "google_storage_bucket[fivetran].uniform_bucket_level_access should be true", + "found": "google_storage_bucket[fivetran].uniform_bucket_level_access is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-withdrawals-reports].uniform_bucket_level_access", + "fileName": "states/prod/storage.tf", + "lineNumber": 220, + "matchContent": " uniform_bucket_level_access = false", + "expected": "google_storage_bucket[test-withdrawals-reports].uniform_bucket_level_access should be true", + "found": "google_storage_bucket[test-withdrawals-reports].uniform_bucket_level_access is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "d92bdb30-a70e-43d8-ba04-4804510b01f4", + "name": "Bucket versioning should be enabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 59, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[elastic-snapshots]", + "fileName": "states/dev/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"elastic-snapshots\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/dev/storage.tf", + "lineNumber": 17, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[ops-filestore]", + "fileName": "states/dev/storage.tf", + "lineNumber": 24, + "matchContent": "resource \"google_storage_bucket\" \"ops-filestore\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[axi-pgbackrest]", + "fileName": "states/dev/storage.tf", + "lineNumber": 31, + "matchContent": "resource \"google_storage_bucket\" \"axi-pgbackrest\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 98, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gitlab-runner-caches].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 110, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-reports].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 130, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-settlement-reports].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 142, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-chat-reports].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 154, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mail-attachments].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 174, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[public].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 216, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-withdrawals-reports].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 234, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-ai-models].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 254, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[sanity-dataset-exports].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 272, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mta-sts].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 284, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-customer-support].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 296, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-merchant-dashboard-files].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 317, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-athens].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 337, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gcp-iam-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 350, + "matchContent": "resource \"google_storage_bucket\" \"gcp-iam-backup\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 371, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 386, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/dev/storage.tf", + "lineNumber": 402, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-dd-state]", + "fileName": "states/dev/storage.tf", + "lineNumber": 418, + "matchContent": "resource \"google_storage_bucket\" \"terraform-dd-state\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[merchant-reports].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 445, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-dev-merchant-assets].versioning.enabled", + "fileName": "states/dev/storage.tf", + "lineNumber": 484, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-dev-tableau-1-backups]", + "fileName": "states/dev/storage.tf", + "lineNumber": 497, + "matchContent": "resource \"google_storage_bucket\" \"test-dev-tableau-1-backups\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/dev/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[elastic-snapshots]", + "fileName": "states/prod/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"elastic-snapshots\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/prod/storage.tf", + "lineNumber": 17, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[datadog-logs-archive].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 58, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 76, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports-multi].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 94, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[fivetran].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 112, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-reports].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 133, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-settlement-reports].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 145, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-chat-reports].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 157, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-m2p-reports].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 177, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mail-attachments].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 189, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-static].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 211, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-withdrawals-reports].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 229, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-ai-models].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 248, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[sanity-dataset-exports].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 266, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-clevertap-export].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 277, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-crm].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 297, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-customer-support].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 309, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-prod-ciso-reports].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 331, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 336, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gcp-iam-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 351, + "matchContent": "resource \"google_storage_bucket\" \"gcp-iam-backup\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 372, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/prod/storage.tf", + "lineNumber": 388, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-merchant-dashboard-files].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 411, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[feeds].versioning.enabled", + "fileName": "states/prod/storage.tf", + "lineNumber": 431, + "matchContent": " enabled = false", + "expected": "'versioning.enabled' should be true", + "found": "'versioning.enabled' is false", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[axi-pgbackrest]", + "fileName": "states/prod/storage.tf", + "lineNumber": 445, + "matchContent": "resource \"google_storage_bucket\" \"axi-pgbackrest\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/prod/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 19, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 37, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 53, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/sandbox/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'versioning' should be defined and not null", + "found": "'versioning' it undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example_bucket\" {\n\tversioning {\n\t\tenabled = true\n\t}\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "47701d6d-7a64-4019-95ac-a1c784917ecd", + "name": "CPU Limits Not Set" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.resources.limits", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 11, + "matchContent": " limits:", + "expected": "spec.containers.name=my-gpu-container has CPU limits", + "found": "spec.containers.name=my-gpu-container doesn't have CPU limits", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "3e2119e6-471d-4676-a60a-f62a0d626d3e", + "name": "CPU Requests Not Set" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.resources", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 10, + "matchContent": " resources:", + "expected": "spec.containers.name=my-gpu-container.resources should have requests defined", + "found": "spec.containers.name=my-gpu-container.resources doesn't have requests defined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "96ce1ab7-e092-4dfc-b4c7-a1b5980fa158", + "name": "Cloud SQL database instance automated backups should be enabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 3, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-3].settings.backup_configuration.enabled", + "fileName": "states/dev/sql.tf", + "lineNumber": 212, + "matchContent": " enabled = false", + "expected": "settings.backup_configuration.enabled should be true", + "found": "settings.backup_configuration.enabled is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-7].settings.backup_configuration.enabled", + "fileName": "states/dev/sql.tf", + "lineNumber": 271, + "matchContent": " enabled = false", + "expected": "settings.backup_configuration.enabled should be true", + "found": "settings.backup_configuration.enabled is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-1-clone].settings.backup_configuration.enabled", + "fileName": "states/dev/sql.tf", + "lineNumber": 330, + "matchContent": " enabled = false", + "expected": "settings.backup_configuration.enabled should be true", + "found": "settings.backup_configuration.enabled is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "b0b8994a-77cc-4016-80ed-e2612f8ead82", + "name": "Compute instance should block project-wide SSH keys" + }, + "severity": "MEDIUM", + "failedResourceCount": 9, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_compute_instance[axilink-mc2].metadata", + "fileName": "modules/axilink-mc2/gce.tf", + "lineNumber": 47, + "matchContent": " metadata = {", + "expected": "google_compute_instance[axilink-mc2].metadata.block-project-ssh-keys should be set", + "found": "google_compute_instance[axilink-mc2].metadata.block-project-ssh-keys is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_instance[axilink-mc2-db].metadata", + "fileName": "modules/axilink-mc2/gce.tf", + "lineNumber": 275, + "matchContent": " metadata = {", + "expected": "google_compute_instance[axilink-mc2-db].metadata.block-project-ssh-keys should be set", + "found": "google_compute_instance[axilink-mc2-db].metadata.block-project-ssh-keys is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_instance[axilink].metadata", + "fileName": "modules/axilink/gce.tf", + "lineNumber": 41, + "matchContent": " metadata = {", + "expected": "google_compute_instance[axilink].metadata.block-project-ssh-keys should be set", + "found": "google_compute_instance[axilink].metadata.block-project-ssh-keys is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_instance[axilink-db].metadata", + "fileName": "modules/axilink/gce.tf", + "lineNumber": 304, + "matchContent": " metadata = {", + "expected": "google_compute_instance[axilink-db].metadata.block-project-ssh-keys should be set", + "found": "google_compute_instance[axilink-db].metadata.block-project-ssh-keys is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_instance[broker].metadata", + "fileName": "modules/confluent-platform/instances.tf", + "lineNumber": 12, + "matchContent": " metadata = {", + "expected": "google_compute_instance[broker].metadata.block-project-ssh-keys should be set", + "found": "google_compute_instance[broker].metadata.block-project-ssh-keys is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_instance[zookeeper].metadata", + "fileName": "modules/confluent-platform/instances.tf", + "lineNumber": 46, + "matchContent": " metadata = {", + "expected": "google_compute_instance[zookeeper].metadata.block-project-ssh-keys should be set", + "found": "google_compute_instance[zookeeper].metadata.block-project-ssh-keys is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_instance[connect].metadata", + "fileName": "modules/confluent-platform/instances.tf", + "lineNumber": 81, + "matchContent": " metadata = {", + "expected": "google_compute_instance[connect].metadata.block-project-ssh-keys should be set", + "found": "google_compute_instance[connect].metadata.block-project-ssh-keys is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_instance[control-center].metadata", + "fileName": "modules/confluent-platform/instances.tf", + "lineNumber": 112, + "matchContent": " metadata = {", + "expected": "google_compute_instance[control-center].metadata.block-project-ssh-keys should be set", + "found": "google_compute_instance[control-center].metadata.block-project-ssh-keys is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_instance[intance].metadata", + "fileName": "modules/instance/gce.tf", + "lineNumber": 30, + "matchContent": " metadata = {", + "expected": "google_compute_instance[intance].metadata.block-project-ssh-keys should be set", + "found": "google_compute_instance[intance].metadata.block-project-ssh-keys is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "6a79d40a-4a2d-4d39-911d-7e43d7bc5056", + "name": "Container Running As Root" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "f4ce6d8b-2224-48a9-9267-0a1c16495ca1", + "name": "Container Running With Low UID" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.runAsUser should be defined", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.runAsUser is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "ef8a8ca6-687a-4887-a2e0-127bf936abba", + "name": "Ensure KMS keys are protected from deletion" + }, + "severity": "MEDIUM", + "failedResourceCount": 3, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_kms_crypto_key[vault-crypto-key]", + "fileName": "states/dev/kmc.tf", + "lineNumber": 7, + "matchContent": "resource \"google_kms_crypto_key\" \"vault-crypto-key\" {", + "expected": "'google_kms_crypto_key[vault-crypto-key].lifecycle.prevent_destroy' should be defined and set to true", + "found": "'google_kms_crypto_key[vault-crypto-key].lifecycle' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_kms_crypto_key[vault-crypto-key]", + "fileName": "states/prod/kmc.tf", + "lineNumber": 7, + "matchContent": "resource \"google_kms_crypto_key\" \"vault-crypto-key\" {", + "expected": "'google_kms_crypto_key[vault-crypto-key].lifecycle.prevent_destroy' should be defined and set to true", + "found": "'google_kms_crypto_key[vault-crypto-key].lifecycle' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_kms_crypto_key[vault-crypto-key]", + "fileName": "states/sandbox/kmc.tf", + "lineNumber": 9, + "matchContent": "resource \"google_kms_crypto_key\" \"vault-crypto-key\" {", + "expected": "'google_kms_crypto_key[vault-crypto-key].lifecycle.prevent_destroy' should be defined and set to true", + "found": "'google_kms_crypto_key[vault-crypto-key].lifecycle' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "20d6cbee-bf11-4db4-ae54-055c45e6ec87", + "name": "GKE cluster container-optimized-os (cos) node image should be used" + }, + "severity": "MEDIUM", + "failedResourceCount": 24, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool-review].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 62, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool-review-spot-2].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 99, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[review-infra].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 138, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[review-infra-2].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 176, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool-stage-v2].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 219, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[debezium-pool].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 262, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[infra-pool-v3].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 307, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[istio-pool].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 356, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[argocd-pool].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 405, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[build-pool-v2].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 454, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[android-build-pool].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 504, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[gke-pool].node_config.image_type", + "fileName": "states/dev/gke.tf", + "lineNumber": 550, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool].node_config.image_type", + "fileName": "states/dp/gke.tf", + "lineNumber": 60, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[infra-pool-v2].node_config.image_type", + "fileName": "states/prod/gke.tf", + "lineNumber": 70, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[dbz-pool-v2].node_config.image_type", + "fileName": "states/prod/gke.tf", + "lineNumber": 115, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[gnr-pool].node_config.image_type", + "fileName": "states/prod/gke.tf", + "lineNumber": 206, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool-prod-v4].node_config.image_type", + "fileName": "states/prod/gke.tf", + "lineNumber": 251, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[gke-pool-v2].node_config.image_type", + "fileName": "states/prod/gke.tf", + "lineNumber": 340, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[app-pool-v2].node_config.image_type", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 71, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[infra-pool-v3].node_config.image_type", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 119, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[argocd-pool-v2].node_config.image_type", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 169, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[gke-pool-optimised].node_config.image_type", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 218, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[sec-pool].node_config.image_type", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 268, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_node_pool[gke-pool-axilink].node_config.image_type", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 316, + "matchContent": " node_config {", + "expected": "'node_config.image_type' should start with 'COS'", + "found": "'node_config.image_type' does not start with 'COS'", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "836f8116-9c23-4e10-9c5d-13e4ee78440b", + "name": "GKE cluster intra-node visibility should be enabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 4, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/dev/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "'google_container_cluster[cluster].enable_intranode_visibility' should be defined and set to 'true'", + "found": "'google_container_cluster[cluster].enable_intranode_visibility' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_container_cluster\" \"example\" {\n enable_intranode_visibility = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/dp/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "'google_container_cluster[cluster].enable_intranode_visibility' should be defined and set to 'true'", + "found": "'google_container_cluster[cluster].enable_intranode_visibility' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_container_cluster\" \"example\" {\n enable_intranode_visibility = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/prod/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "'google_container_cluster[cluster].enable_intranode_visibility' should be defined and set to 'true'", + "found": "'google_container_cluster[cluster].enable_intranode_visibility' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_container_cluster\" \"example\" {\n enable_intranode_visibility = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster]", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 1, + "matchContent": "resource \"google_container_cluster\" \"cluster\" {", + "expected": "'google_container_cluster[cluster].enable_intranode_visibility' should be defined and set to 'true'", + "found": "'google_container_cluster[cluster].enable_intranode_visibility' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_container_cluster\" \"example\" {\n enable_intranode_visibility = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "a46b6e1e-8896-4209-878b-241f4cc64d0d", + "name": "GKE cluster shielded nodes should be enabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster].enable_shielded_nodes", + "fileName": "states/dev/gke.tf", + "lineNumber": 8, + "matchContent": " enable_shielded_nodes = false", + "expected": "google_container_cluster.enable_shielded_nodes should be set to true", + "found": "google_container_cluster.enable_shielded_nodes is set to false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "0617dde1-c9da-415c-822a-59ebab07b698", + "name": "GKE private cluster private endpoint should be enabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 4, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster].private_cluster_config", + "fileName": "states/dev/gke.tf", + "lineNumber": 21, + "matchContent": " private_cluster_config {", + "expected": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "found": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster].private_cluster_config", + "fileName": "states/dp/gke.tf", + "lineNumber": 20, + "matchContent": " private_cluster_config {", + "expected": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "found": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster].private_cluster_config", + "fileName": "states/prod/gke.tf", + "lineNumber": 26, + "matchContent": " private_cluster_config {", + "expected": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "found": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_container_cluster[cluster].private_cluster_config", + "fileName": "states/sandbox/gke.tf", + "lineNumber": 24, + "matchContent": " private_cluster_config {", + "expected": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "found": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "89f521ea-4fa4-42bc-9e58-fbd609336a3f", + "name": "Liveness Probe Is Not Defined" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.livenessProbe should be defined", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.livenessProbe is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "83465fcc-a5ea-4596-acc5-312b9f127807", + "name": "Memory Limits Not Defined" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 11, + "matchContent": " limits:", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.resources.limits.memory should be defined", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.resources.limits.memory is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "3faf9bf7-5a82-4df0-95b1-0a8d9c9e98cf", + "name": "Memory Requests Not Defined" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.resources.requests.memory should be defined", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.resources.requests.memory is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "17c00818-5fae-4d31-a38f-1f83da562a91", + "name": "Memorystore Redis instance AUTH should be enabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 4, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_redis_instance[redis]", + "fileName": "modules/redis/redis.tf", + "lineNumber": 1, + "matchContent": "resource \"google_redis_instance\" \"redis\" {", + "expected": "'google_redis_instance[redis].auth_enabled' should be defined and set to 'true'", + "found": "'google_redis_instance[redis].auth_enabled' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_redis_instance\" \"example\" {\n auth_enabled = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_redis_instance[redis]", + "fileName": "states/dev/redis.tf", + "lineNumber": 1, + "matchContent": "resource \"google_redis_instance\" \"redis\" {", + "expected": "'google_redis_instance[redis].auth_enabled' should be defined and set to 'true'", + "found": "'google_redis_instance[redis].auth_enabled' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_redis_instance\" \"example\" {\n auth_enabled = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_redis_instance[redis-infra]", + "fileName": "states/dev/redis.tf", + "lineNumber": 19, + "matchContent": "resource \"google_redis_instance\" \"redis-infra\" {", + "expected": "'google_redis_instance[redis-infra].auth_enabled' should be defined and set to 'true'", + "found": "'google_redis_instance[redis-infra].auth_enabled' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_redis_instance\" \"example\" {\n auth_enabled = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_redis_instance[redis]", + "fileName": "states/sandbox/redis.tf", + "lineNumber": 1, + "matchContent": "resource \"google_redis_instance\" \"redis\" {", + "expected": "'google_redis_instance[redis].auth_enabled' should be defined and set to 'true'", + "found": "'google_redis_instance[redis].auth_enabled' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_redis_instance\" \"example\" {\n auth_enabled = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "50fb5eb1-5424-4825-a925-e08a28fe0cd3", + "name": "Memorystore Redis instance encryption in transit should be enabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 4, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_redis_instance[redis]", + "fileName": "modules/redis/redis.tf", + "lineNumber": 1, + "matchContent": "resource \"google_redis_instance\" \"redis\" {", + "expected": "'google_redis_instance[redis].transit_encryption_mode' should be defined and set to 'SERVER_AUTHENTICATION'", + "found": "'google_redis_instance[redis].transit_encryption_mode' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_redis_instance\" \"example\" {\n transit_encryption_mode = \"SERVER_AUTHENTICATION\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_redis_instance[redis]", + "fileName": "states/dev/redis.tf", + "lineNumber": 1, + "matchContent": "resource \"google_redis_instance\" \"redis\" {", + "expected": "'google_redis_instance[redis].transit_encryption_mode' should be defined and set to 'SERVER_AUTHENTICATION'", + "found": "'google_redis_instance[redis].transit_encryption_mode' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_redis_instance\" \"example\" {\n transit_encryption_mode = \"SERVER_AUTHENTICATION\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_redis_instance[redis-infra]", + "fileName": "states/dev/redis.tf", + "lineNumber": 19, + "matchContent": "resource \"google_redis_instance\" \"redis-infra\" {", + "expected": "'google_redis_instance[redis-infra].transit_encryption_mode' should be defined and set to 'SERVER_AUTHENTICATION'", + "found": "'google_redis_instance[redis-infra].transit_encryption_mode' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_redis_instance\" \"example\" {\n transit_encryption_mode = \"SERVER_AUTHENTICATION\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_redis_instance[redis]", + "fileName": "states/sandbox/redis.tf", + "lineNumber": 1, + "matchContent": "resource \"google_redis_instance\" \"redis\" {", + "expected": "'google_redis_instance[redis].transit_encryption_mode' should be defined and set to 'SERVER_AUTHENTICATION'", + "found": "'google_redis_instance[redis].transit_encryption_mode' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_redis_instance\" \"example\" {\n transit_encryption_mode = \"SERVER_AUTHENTICATION\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "4a04339e-2121-4117-8532-958822e55adc", + "name": "Pod should run containers with filesystems mounted as read-only" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.readOnlyRootFilesystem should be set to true", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.readOnlyRootFilesystem is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "4e9b68ed-1fd2-4298-b5d2-6ef9e77310af", + "name": "PostgreSQL instance 'log_min_duration_statement' flag should be set to '-1' (disabled)" + }, + "severity": "MEDIUM", + "failedResourceCount": 17, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 75, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '983'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-2].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 155, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-2].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-2].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '1000'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-3].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 223, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-3].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-3].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '1000'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-7].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 282, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-7].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-7].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '1000'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-1-clone].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 341, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-1-clone].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-1-clone].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '1000'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-5].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 401, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-5].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-5].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '1000'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 34, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '100'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-2].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 93, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-2].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-2].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '100'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-3].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 153, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-3].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-3].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '100'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-4].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 212, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-4].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-4].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '100'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-5].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 272, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-5].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-5].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '100'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-6].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 338, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-6].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-6].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '100'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-7].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 399, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-7].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-7].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '100'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-8].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 460, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-8].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-8].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '100'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-10].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 525, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-10].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-10].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '100'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-11].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 587, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-11].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg-11].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '100'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg].settings.database_flags", + "fileName": "states/sandbox/sql.tf", + "lineNumber": 56, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg].settings.database_flags' with 'name' set to 'log_min_duration_statement' should have 'value' set to '-1'", + "found": "'google_sql_database_instance[pg].settings.database_flags' with 'name' set to 'log_min_duration_statement' has 'value' set to '983'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_min_duration_statement\"\n value = \"-1\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "eb6cb3c8-6678-4b9f-bad8-4e03a8991fdc", + "name": "PostgreSQL instance 'log_temp_files' flag should be set to '0' (on)" + }, + "severity": "MEDIUM", + "failedResourceCount": 17, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 92, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-2].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 171, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-2].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-2].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-3].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 235, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-3].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-3].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-7].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 294, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-7].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-7].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-1-clone].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 353, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-1-clone].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-1-clone].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-5].settings.database_flags", + "fileName": "states/dev/sql.tf", + "lineNumber": 415, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-5].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-5].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 44, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-2].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 108, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-2].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-2].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-3].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 167, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-3].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-3].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-4].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 227, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-4].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-4].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-5].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 292, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-5].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-5].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-6].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 353, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-6].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-6].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-7].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 414, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-7].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-7].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-8].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 475, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-8].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-8].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-10].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 540, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-10].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-10].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg-11].settings.database_flags", + "fileName": "states/prod/sql.tf", + "lineNumber": 602, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg-11].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg-11].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_sql_database_instance[pg].settings.database_flags", + "fileName": "states/sandbox/sql.tf", + "lineNumber": 74, + "matchContent": " database_flags {", + "expected": "'google_sql_database_instance[pg].settings.database_flags' should be defined with 'log_temp_files' set to '0'", + "found": "'google_sql_database_instance[pg].settings.database_flags' is not defined with 'log_temp_files' set to '0'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_sql_database_instance\" \"example_instance\" {\n settings {\n database_flags {\n name = \"log_temp_files\"\n value = \"0\"\n }\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "1f468745-4f32-431d-bf99-144451ce8a03", + "name": "PubSub topic should be encrypted with a customer-managed key" + }, + "severity": "MEDIUM", + "failedResourceCount": 16, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[pubsub-topic]", + "fileName": "modules/pubsub/main.tf", + "lineNumber": 1, + "matchContent": "resource \"google_pubsub_topic\" \"pubsub-topic\" {", + "expected": "'google_pubsub_topic[pubsub-topic].kms_key_name' should be defined", + "found": "'google_pubsub_topic[pubsub-topic].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[cashback]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 1, + "matchContent": "resource \"google_pubsub_topic\" \"cashback\" {", + "expected": "'google_pubsub_topic[cashback].kms_key_name' should be defined", + "found": "'google_pubsub_topic[cashback].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[checkout]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 6, + "matchContent": "resource \"google_pubsub_topic\" \"checkout\" {", + "expected": "'google_pubsub_topic[checkout].kms_key_name' should be defined", + "found": "'google_pubsub_topic[checkout].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[checkout-sse]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 11, + "matchContent": "resource \"google_pubsub_topic\" \"checkout-sse\" {", + "expected": "'google_pubsub_topic[checkout-sse].kms_key_name' should be defined", + "found": "'google_pubsub_topic[checkout-sse].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[customer]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 16, + "matchContent": "resource \"google_pubsub_topic\" \"customer\" {", + "expected": "'google_pubsub_topic[customer].kms_key_name' should be defined", + "found": "'google_pubsub_topic[customer].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[loans]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 21, + "matchContent": "resource \"google_pubsub_topic\" \"loans\" {", + "expected": "'google_pubsub_topic[loans].kms_key_name' should be defined", + "found": "'google_pubsub_topic[loans].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[merchant]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 26, + "matchContent": "resource \"google_pubsub_topic\" \"merchant\" {", + "expected": "'google_pubsub_topic[merchant].kms_key_name' should be defined", + "found": "'google_pubsub_topic[merchant].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[payment]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 31, + "matchContent": "resource \"google_pubsub_topic\" \"payment\" {", + "expected": "'google_pubsub_topic[payment].kms_key_name' should be defined", + "found": "'google_pubsub_topic[payment].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[payment_events]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 36, + "matchContent": "resource \"google_pubsub_topic\" \"payment_events\" {", + "expected": "'google_pubsub_topic[payment_events].kms_key_name' should be defined", + "found": "'google_pubsub_topic[payment_events].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[payment_gateway_internal_jobs]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 41, + "matchContent": "resource \"google_pubsub_topic\" \"payment_gateway_internal_jobs\" {", + "expected": "'google_pubsub_topic[payment_gateway_internal_jobs].kms_key_name' should be defined", + "found": "'google_pubsub_topic[payment_gateway_internal_jobs].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[payments]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 46, + "matchContent": "resource \"google_pubsub_topic\" \"payments\" {", + "expected": "'google_pubsub_topic[payments].kms_key_name' should be defined", + "found": "'google_pubsub_topic[payments].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[reminder]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 51, + "matchContent": "resource \"google_pubsub_topic\" \"reminder\" {", + "expected": "'google_pubsub_topic[reminder].kms_key_name' should be defined", + "found": "'google_pubsub_topic[reminder].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[report]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 56, + "matchContent": "resource \"google_pubsub_topic\" \"report\" {", + "expected": "'google_pubsub_topic[report].kms_key_name' should be defined", + "found": "'google_pubsub_topic[report].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[settlements]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 61, + "matchContent": "resource \"google_pubsub_topic\" \"settlements\" {", + "expected": "'google_pubsub_topic[settlements].kms_key_name' should be defined", + "found": "'google_pubsub_topic[settlements].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[withdrawals]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 66, + "matchContent": "resource \"google_pubsub_topic\" \"withdrawals\" {", + "expected": "'google_pubsub_topic[withdrawals].kms_key_name' should be defined", + "found": "'google_pubsub_topic[withdrawals].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_pubsub_topic[customers]", + "fileName": "states/dev/pubsub.tf", + "lineNumber": 71, + "matchContent": "resource \"google_pubsub_topic\" \"customers\" {", + "expected": "'google_pubsub_topic[customers].kms_key_name' should be defined", + "found": "'google_pubsub_topic[customers].kms_key_name' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "80238701-3e00-4140-9fb1-b521932ae206", + "name": "Readiness Probe Is Not Configured" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.readinessProbe should be defined", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.readinessProbe is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "0483b96c-0361-415f-88bd-f360165f382e", + "name": "Seccomp Profile Is Not Configured" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.seccompProfile.type should be defined", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.seccompProfile.type is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "bf9c367b-44a6-474a-93d1-12fb1d064795", + "name": "Service Account Name Undefined Or Empty" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 5, + "matchContent": "spec:", + "expected": "metadata.name=my-gpu-pod.spec.serviceAccountName should be defined", + "found": "metadata.name=my-gpu-pod.spec.serviceAccountName is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "e7f20e1e-efed-40f5-a20c-2f5453e3771e", + "name": "Service Account Token Automount Not Disabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "metadata.name={{my-gpu-pod}}.spec", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 5, + "matchContent": "spec:", + "expected": "metadata.name={{my-gpu-pod}}.spec.automountServiceAccountToken should be defined and set to false", + "found": "metadata.name={{my-gpu-pod}}.spec.automountServiceAccountToken is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "ae4cf2f5-1b7a-4da5-9c36-50e3178b7c15", + "name": "Spanner Database deletion protection should be enabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_spanner_database[database].deletion_protection", + "fileName": "states/dev/spanner.tf", + "lineNumber": 11, + "matchContent": " deletion_protection = false", + "expected": "'google_spanner_database[database].deletion_protection' should be set to 'true'", + "found": "'google_spanner_database[database].deletion_protection' is set to 'true'", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_spanner_database\" \"example\" {\n deletion_protection = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "079b6c2d-55b1-419e-8d5a-5acfdc624484", + "name": "Spanner Database drop protection should be enabled" + }, + "severity": "MEDIUM", + "failedResourceCount": 2, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_spanner_database[database]", + "fileName": "states/dev/spanner.tf", + "lineNumber": 8, + "matchContent": "resource \"google_spanner_database\" \"database\" {", + "expected": "'google_spanner_database[database].enable_drop_protection' should be defined and set to 'true'", + "found": "'google_spanner_database[database].enable_drop_protection' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_spanner_database\" \"negative\" {\n enable_drop_protection = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_spanner_database[payment-gateway]", + "fileName": "states/prod/spanner.tf", + "lineNumber": 8, + "matchContent": "resource \"google_spanner_database\" \"payment-gateway\" {", + "expected": "'google_spanner_database[payment-gateway].enable_drop_protection' should be defined and set to 'true'", + "found": "'google_spanner_database[payment-gateway].enable_drop_protection' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_spanner_database\" \"negative\" {\n enable_drop_protection = true\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "7811681b-9a1a-4267-b796-da21a5a126b5", + "name": "Spanner Database should be encrypted with a customer-supplied encryption key" + }, + "severity": "MEDIUM", + "failedResourceCount": 2, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_spanner_database[database]", + "fileName": "states/dev/spanner.tf", + "lineNumber": 8, + "matchContent": "resource \"google_spanner_database\" \"database\" {", + "expected": "'google_spanner_database[database].encryption_config.kms_key_name' should be defined", + "found": "'google_spanner_database[database].encryption_config' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_spanner_database\" \"example\" {\n encryption_config {\n kms_key_name = google_kms_crypto_key.example.id\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_spanner_database[payment-gateway]", + "fileName": "states/prod/spanner.tf", + "lineNumber": 8, + "matchContent": "resource \"google_spanner_database\" \"payment-gateway\" {", + "expected": "'google_spanner_database[payment-gateway].encryption_config.kms_key_name' should be defined", + "found": "'google_spanner_database[payment-gateway].encryption_config' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_spanner_database\" \"example\" {\n encryption_config {\n kms_key_name = google_kms_crypto_key.example.id\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "23404985-be84-4661-b4cb-b3630aa081ed", + "name": "Using Unrecommended Namespace" + }, + "severity": "MEDIUM", + "failedResourceCount": 1, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "kind={{Pod}}.metadata.name={{my-gpu-pod}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 4, + "matchContent": " name: my-gpu-pod", + "expected": "metadata.namespace should be defined and not null", + "found": "metadata.namespace is undefined or null", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "39c3829f-e61f-487c-8de4-0099f02e8c6d", + "name": "VPC firewall rule should restrict SSH access (TCP - port 22)" + }, + "severity": "MEDIUM", + "failedResourceCount": 2, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_compute_firewall[test-dp-ssh].allow.ports=22", + "fileName": "states/dp/firewall.tf", + "lineNumber": 28, + "matchContent": " ports = [\"22\"]", + "expected": "'google_compute_firewall[test-dp-ssh].allow.ports' should not include SSH port 22", + "found": "'google_compute_firewall[test-dp-ssh].allow.ports' includes SSH port 22", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_compute_firewall[test-dwh-ssh].allow.ports=22", + "fileName": "states/dwh/firewall.tf", + "lineNumber": 28, + "matchContent": " ports = [\"22\"]", + "expected": "'google_compute_firewall[test-dwh-ssh].allow.ports' should not include SSH port 22", + "found": "'google_compute_firewall[test-dwh-ssh].allow.ports' includes SSH port 22", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "487ebfd4-6f73-4380-b522-d0561cd7d69a", + "name": "Bucket public access prevention should be enforced" + }, + "severity": "HIGH", + "failedResourceCount": 61, + "failedPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "matches": [ + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[elastic-snapshots]", + "fileName": "states/dev/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"elastic-snapshots\" {", + "expected": "'google_storage_bucket[elastic-snapshots].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[elastic-snapshots].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/dev/storage.tf", + "lineNumber": 17, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'google_storage_bucket[vault-store].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[vault-store].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[ops-filestore]", + "fileName": "states/dev/storage.tf", + "lineNumber": 24, + "matchContent": "resource \"google_storage_bucket\" \"ops-filestore\" {", + "expected": "'google_storage_bucket[ops-filestore].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[ops-filestore].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[axi-pgbackrest]", + "fileName": "states/dev/storage.tf", + "lineNumber": 31, + "matchContent": "resource \"google_storage_bucket\" \"axi-pgbackrest\" {", + "expected": "'google_storage_bucket[axi-pgbackrest].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[axi-pgbackrest].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[terraform-state]", + "fileName": "states/dev/storage.tf", + "lineNumber": 56, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state\" {", + "expected": "'google_storage_bucket[terraform-state].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[terraform-state].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[cloud-sql-exports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 85, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports\" {", + "expected": "'google_storage_bucket[cloud-sql-exports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[cloud-sql-exports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[gitlab-runner-caches]", + "fileName": "states/dev/storage.tf", + "lineNumber": 103, + "matchContent": "resource \"google_storage_bucket\" \"gitlab-runner-caches\" {", + "expected": "'google_storage_bucket[gitlab-runner-caches].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[gitlab-runner-caches].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 123, + "matchContent": "resource \"google_storage_bucket\" \"test-reports\" {", + "expected": "'google_storage_bucket[test-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-settlement-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 135, + "matchContent": "resource \"google_storage_bucket\" \"test-settlement-reports\" {", + "expected": "'google_storage_bucket[test-settlement-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-settlement-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-chat-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 147, + "matchContent": "resource \"google_storage_bucket\" \"test-chat-reports\" {", + "expected": "'google_storage_bucket[test-chat-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-chat-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-mail-attachments]", + "fileName": "states/dev/storage.tf", + "lineNumber": 167, + "matchContent": "resource \"google_storage_bucket\" \"test-mail-attachments\" {", + "expected": "'google_storage_bucket[test-mail-attachments].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-mail-attachments].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[public]", + "fileName": "states/dev/storage.tf", + "lineNumber": 209, + "matchContent": "resource \"google_storage_bucket\" \"public\" {", + "expected": "'google_storage_bucket[public].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[public].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-withdrawals-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 221, + "matchContent": "resource \"google_storage_bucket\" \"test-withdrawals-reports\" {", + "expected": "'google_storage_bucket[test-withdrawals-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-withdrawals-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-ai-models]", + "fileName": "states/dev/storage.tf", + "lineNumber": 247, + "matchContent": "resource \"google_storage_bucket\" \"test-ai-models\" {", + "expected": "'google_storage_bucket[test-ai-models].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-ai-models].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[sanity-dataset-exports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 259, + "matchContent": "resource \"google_storage_bucket\" \"sanity-dataset-exports\" {", + "expected": "'google_storage_bucket[sanity-dataset-exports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[sanity-dataset-exports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-mta-sts]", + "fileName": "states/dev/storage.tf", + "lineNumber": 277, + "matchContent": "resource \"google_storage_bucket\" \"test-mta-sts\" {", + "expected": "'google_storage_bucket[test-mta-sts].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-mta-sts].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-customer-support]", + "fileName": "states/dev/storage.tf", + "lineNumber": 289, + "matchContent": "resource \"google_storage_bucket\" \"test-customer-support\" {", + "expected": "'google_storage_bucket[test-customer-support].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-customer-support].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-merchant-dashboard-files]", + "fileName": "states/dev/storage.tf", + "lineNumber": 310, + "matchContent": "resource \"google_storage_bucket\" \"test-merchant-dashboard-files\" {", + "expected": "'google_storage_bucket[test-merchant-dashboard-files].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-merchant-dashboard-files].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-athens]", + "fileName": "states/dev/storage.tf", + "lineNumber": 330, + "matchContent": "resource \"google_storage_bucket\" \"test-athens\" {", + "expected": "'google_storage_bucket[test-athens].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-athens].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[gcp-iam-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 350, + "matchContent": "resource \"google_storage_bucket\" \"gcp-iam-backup\" {", + "expected": "'google_storage_bucket[gcp-iam-backup].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[gcp-iam-backup].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 371, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'google_storage_bucket[terraform-state-backup].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[terraform-state-backup].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 386, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'google_storage_bucket[vault-store-backup].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[vault-store-backup].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/dev/storage.tf", + "lineNumber": 402, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'google_storage_bucket[vault-store-backups].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[vault-store-backups].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[terraform-dd-state]", + "fileName": "states/dev/storage.tf", + "lineNumber": 418, + "matchContent": "resource \"google_storage_bucket\" \"terraform-dd-state\" {", + "expected": "'google_storage_bucket[terraform-dd-state].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[terraform-dd-state].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[merchant-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 425, + "matchContent": "resource \"google_storage_bucket\" \"merchant-reports\" {", + "expected": "'google_storage_bucket[merchant-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[merchant-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-dev-merchant-assets]", + "fileName": "states/dev/storage.tf", + "lineNumber": 464, + "matchContent": "resource \"google_storage_bucket\" \"test-dev-merchant-assets\" {", + "expected": "'google_storage_bucket[test-dev-merchant-assets].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-dev-merchant-assets].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-dev-tableau-1-backups]", + "fileName": "states/dev/storage.tf", + "lineNumber": 497, + "matchContent": "resource \"google_storage_bucket\" \"test-dev-tableau-1-backups\" {", + "expected": "'google_storage_bucket[test-dev-tableau-1-backups].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-dev-tableau-1-backups].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/dev/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'google_storage_bucket[velero].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[velero].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[elastic-snapshots]", + "fileName": "states/prod/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"elastic-snapshots\" {", + "expected": "'google_storage_bucket[elastic-snapshots].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[elastic-snapshots].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/prod/storage.tf", + "lineNumber": 17, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'google_storage_bucket[vault-store].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[vault-store].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[terraform-state]", + "fileName": "states/prod/storage.tf", + "lineNumber": 33, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state\" {", + "expected": "'google_storage_bucket[terraform-state].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[terraform-state].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[datadog-logs-archive]", + "fileName": "states/prod/storage.tf", + "lineNumber": 45, + "matchContent": "resource \"google_storage_bucket\" \"datadog-logs-archive\" {", + "expected": "'google_storage_bucket[datadog-logs-archive].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[datadog-logs-archive].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[cloud-sql-exports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 63, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports\" {", + "expected": "'google_storage_bucket[cloud-sql-exports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[cloud-sql-exports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[cloud-sql-exports-multi]", + "fileName": "states/prod/storage.tf", + "lineNumber": 81, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports-multi\" {", + "expected": "'google_storage_bucket[cloud-sql-exports-multi].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[cloud-sql-exports-multi].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[fivetran]", + "fileName": "states/prod/storage.tf", + "lineNumber": 99, + "matchContent": "resource \"google_storage_bucket\" \"fivetran\" {", + "expected": "'google_storage_bucket[fivetran].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[fivetran].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 126, + "matchContent": "resource \"google_storage_bucket\" \"test-reports\" {", + "expected": "'google_storage_bucket[test-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-settlement-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 138, + "matchContent": "resource \"google_storage_bucket\" \"test-settlement-reports\" {", + "expected": "'google_storage_bucket[test-settlement-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-settlement-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-chat-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 150, + "matchContent": "resource \"google_storage_bucket\" \"test-chat-reports\" {", + "expected": "'google_storage_bucket[test-chat-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-chat-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-m2p-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 170, + "matchContent": "resource \"google_storage_bucket\" \"test-m2p-reports\" {", + "expected": "'google_storage_bucket[test-m2p-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-m2p-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-mail-attachments]", + "fileName": "states/prod/storage.tf", + "lineNumber": 182, + "matchContent": "resource \"google_storage_bucket\" \"test-mail-attachments\" {", + "expected": "'google_storage_bucket[test-mail-attachments].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-mail-attachments].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-static]", + "fileName": "states/prod/storage.tf", + "lineNumber": 204, + "matchContent": "resource \"google_storage_bucket\" \"test-static\" {", + "expected": "'google_storage_bucket[test-static].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-static].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-withdrawals-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 216, + "matchContent": "resource \"google_storage_bucket\" \"test-withdrawals-reports\" {", + "expected": "'google_storage_bucket[test-withdrawals-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-withdrawals-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-ai-models]", + "fileName": "states/prod/storage.tf", + "lineNumber": 241, + "matchContent": "resource \"google_storage_bucket\" \"test-ai-models\" {", + "expected": "'google_storage_bucket[test-ai-models].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-ai-models].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[sanity-dataset-exports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 253, + "matchContent": "resource \"google_storage_bucket\" \"sanity-dataset-exports\" {", + "expected": "'google_storage_bucket[sanity-dataset-exports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[sanity-dataset-exports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-clevertap-export]", + "fileName": "states/prod/storage.tf", + "lineNumber": 270, + "matchContent": "resource \"google_storage_bucket\" \"test-clevertap-export\" {", + "expected": "'google_storage_bucket[test-clevertap-export].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-clevertap-export].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-crm]", + "fileName": "states/prod/storage.tf", + "lineNumber": 290, + "matchContent": "resource \"google_storage_bucket\" \"test-crm\" {", + "expected": "'google_storage_bucket[test-crm].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-crm].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-customer-support]", + "fileName": "states/prod/storage.tf", + "lineNumber": 302, + "matchContent": "resource \"google_storage_bucket\" \"test-customer-support\" {", + "expected": "'google_storage_bucket[test-customer-support].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-customer-support].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-prod-ciso-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 324, + "matchContent": "resource \"google_storage_bucket\" \"test-prod-ciso-reports\" {", + "expected": "'google_storage_bucket[test-prod-ciso-reports].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-prod-ciso-reports].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 336, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'google_storage_bucket[terraform-state-backup].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[terraform-state-backup].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[gcp-iam-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 351, + "matchContent": "resource \"google_storage_bucket\" \"gcp-iam-backup\" {", + "expected": "'google_storage_bucket[gcp-iam-backup].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[gcp-iam-backup].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 372, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'google_storage_bucket[vault-store-backup].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[vault-store-backup].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/prod/storage.tf", + "lineNumber": 388, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'google_storage_bucket[vault-store-backups].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[vault-store-backups].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[test-merchant-dashboard-files]", + "fileName": "states/prod/storage.tf", + "lineNumber": 404, + "matchContent": "resource \"google_storage_bucket\" \"test-merchant-dashboard-files\" {", + "expected": "'google_storage_bucket[test-merchant-dashboard-files].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[test-merchant-dashboard-files].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[feeds]", + "fileName": "states/prod/storage.tf", + "lineNumber": 424, + "matchContent": "resource \"google_storage_bucket\" \"feeds\" {", + "expected": "'google_storage_bucket[feeds].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[feeds].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[axi-pgbackrest]", + "fileName": "states/prod/storage.tf", + "lineNumber": 445, + "matchContent": "resource \"google_storage_bucket\" \"axi-pgbackrest\" {", + "expected": "'google_storage_bucket[axi-pgbackrest].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[axi-pgbackrest].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/prod/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'google_storage_bucket[velero].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[velero].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'google_storage_bucket[vault-store].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[vault-store].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 19, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'google_storage_bucket[terraform-state-backup].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[terraform-state-backup].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 37, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'google_storage_bucket[vault-store-backup].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[vault-store-backup].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 53, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'google_storage_bucket[vault-store-backups].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[vault-store-backups].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/sandbox/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'google_storage_bucket[velero].public_access_prevention' should be defined and set to 'enforced'", + "found": "'google_storage_bucket[velero].public_access_prevention' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_storage_bucket\" \"example\" {\n public_access_prevention = \"enforced\"\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "b072a058-bdf1-484e-af24-265014e40748", + "name": "Cloud SQL database instance transport encryption should be enabled" + }, + "severity": "HIGH", + "failedResourceCount": 17, + "failedPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "matches": [ + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg].settings.ip_configuration", + "fileName": "states/dev/sql.tf", + "lineNumber": 36, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-2].settings.ip_configuration", + "fileName": "states/dev/sql.tf", + "lineNumber": 123, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-3].settings.ip_configuration", + "fileName": "states/dev/sql.tf", + "lineNumber": 207, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-7].settings.ip_configuration", + "fileName": "states/dev/sql.tf", + "lineNumber": 266, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-1-clone].settings.ip_configuration", + "fileName": "states/dev/sql.tf", + "lineNumber": 325, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-5].settings.ip_configuration", + "fileName": "states/dev/sql.tf", + "lineNumber": 384, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg].settings.ip_configuration", + "fileName": "states/prod/sql.tf", + "lineNumber": 17, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-2].settings.ip_configuration", + "fileName": "states/prod/sql.tf", + "lineNumber": 76, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-3].settings.ip_configuration", + "fileName": "states/prod/sql.tf", + "lineNumber": 136, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-4].settings.ip_configuration", + "fileName": "states/prod/sql.tf", + "lineNumber": 195, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-5].settings.ip_configuration", + "fileName": "states/prod/sql.tf", + "lineNumber": 255, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-6].settings.ip_configuration", + "fileName": "states/prod/sql.tf", + "lineNumber": 321, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-7].settings.ip_configuration", + "fileName": "states/prod/sql.tf", + "lineNumber": 382, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-8].settings.ip_configuration", + "fileName": "states/prod/sql.tf", + "lineNumber": 443, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-10].settings.ip_configuration", + "fileName": "states/prod/sql.tf", + "lineNumber": 508, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_sql_database_instance[pg-11].settings.ip_configuration", + "fileName": "states/prod/sql.tf", + "lineNumber": 570, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null + ], + "resourceName": "google_sql_database_instance[pg].settings.ip_configuration", + "fileName": "states/sandbox/sql.tf", + "lineNumber": 39, + "matchContent": " ip_configuration {", + "expected": "'settings.ip_configuration.ssl_mode' or 'settings.ip_configuration.require_ssl' should be defined and not null", + "found": "Neither 'settings.ip_configuration.ssl_mode' nor 'settings.ip_configuration.require_ssl' is defined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "b761b45d-3e3a-46d6-a430-596ec8f155fc", + "name": "Compute instance Shielded VM should be fully enabled" }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "path": "docker-compose.yaml", - "lineNumber": 32, - "offset": 0, - "type": "PASSWORD", - "contains": [ - { - "name": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "type": "PASSWORD" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + "severity": "HIGH", + "failedResourceCount": 9, + "failedPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null } - } - ], - "details": null - }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "path": "docker-compose.yaml", - "lineNumber": 34, - "offset": 0, - "type": "PASSWORD", - "contains": [ - { - "name": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "type": "PASSWORD" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "matches": [ + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null - }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "path": "docker-compose.yaml", - "lineNumber": 35, - "offset": 0, - "type": "PASSWORD", - "contains": [ - { - "name": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "type": "PASSWORD" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + ], + "resourceName": "google_compute_instance[axilink-mc2]", + "fileName": "modules/axilink-mc2/gce.tf", + "lineNumber": 7, + "matchContent": "resource \"google_compute_instance\" \"axilink-mc2\" {", + "expected": "Attribute 'shielded_instance_config' should be defined and not null", + "found": "Attribute 'shielded_instance_config' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_instance\" \"example_instance\" {\n shielded_instance_config {\n enable_secure_boot = true\n enable_vtpm = true\n enable_integrity_monitoring = true\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null - }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "path": "docker-compose.yaml", - "lineNumber": 36, - "offset": 0, - "type": "PASSWORD", - "contains": [ - { - "name": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "type": "PASSWORD" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + ], + "resourceName": "google_compute_instance[axilink-mc2-db]", + "fileName": "modules/axilink-mc2/gce.tf", + "lineNumber": 243, + "matchContent": "resource \"google_compute_instance\" \"axilink-mc2-db\" {", + "expected": "Attribute 'shielded_instance_config' should be defined and not null", + "found": "Attribute 'shielded_instance_config' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_instance\" \"example_instance\" {\n shielded_instance_config {\n enable_secure_boot = true\n enable_vtpm = true\n enable_integrity_monitoring = true\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null - }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "path": "docker-compose.yaml", - "lineNumber": 37, - "offset": 0, - "type": "PASSWORD", - "contains": [ - { - "name": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "type": "PASSWORD" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + ], + "resourceName": "google_compute_instance[axilink]", + "fileName": "modules/axilink/gce.tf", + "lineNumber": 6, + "matchContent": "resource \"google_compute_instance\" \"axilink\" {", + "expected": "Attribute 'shielded_instance_config' should be defined and not null", + "found": "Attribute 'shielded_instance_config' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_instance\" \"example_instance\" {\n shielded_instance_config {\n enable_secure_boot = true\n enable_vtpm = true\n enable_integrity_monitoring = true\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null - }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/apid_test?)", - "path": "docker-compose.yaml", - "lineNumber": 39, - "offset": 0, - "type": "PASSWORD", - "contains": [ - { - "name": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/apid_test?)", - "type": "PASSWORD" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + ], + "resourceName": "google_compute_instance[axilink-db]", + "fileName": "modules/axilink/gce.tf", + "lineNumber": 275, + "matchContent": "resource \"google_compute_instance\" \"axilink-db\" {", + "expected": "Attribute 'shielded_instance_config' should be defined and not null", + "found": "Attribute 'shielded_instance_config' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_instance\" \"example_instance\" {\n shielded_instance_config {\n enable_secure_boot = true\n enable_vtpm = true\n enable_integrity_monitoring = true\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null - }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/apid_test?)", - "path": "docker-compose.yaml", - "lineNumber": 40, - "offset": 0, - "type": "PASSWORD", - "contains": [ - { - "name": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/apid_test?)", - "type": "PASSWORD" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + ], + "resourceName": "google_compute_instance[broker]", + "fileName": "modules/confluent-platform/instances.tf", + "lineNumber": 1, + "matchContent": "resource \"google_compute_instance\" \"broker\" {", + "expected": "Attribute 'shielded_instance_config' should be defined and not null", + "found": "Attribute 'shielded_instance_config' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_instance\" \"example_instance\" {\n shielded_instance_config {\n enable_secure_boot = true\n enable_vtpm = true\n enable_integrity_monitoring = true\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null - }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/apid_test?)", - "path": "docker-compose.yaml", - "lineNumber": 41, - "offset": 0, - "type": "PASSWORD", - "contains": [ - { - "name": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/apid_test?)", - "type": "PASSWORD" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + ], + "resourceName": "google_compute_instance[zookeeper]", + "fileName": "modules/confluent-platform/instances.tf", + "lineNumber": 35, + "matchContent": "resource \"google_compute_instance\" \"zookeeper\" {", + "expected": "Attribute 'shielded_instance_config' should be defined and not null", + "found": "Attribute 'shielded_instance_config' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_instance\" \"example_instance\" {\n shielded_instance_config {\n enable_secure_boot = true\n enable_vtpm = true\n enable_integrity_monitoring = true\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null - }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/apid_test?)", - "path": "docker-compose.yaml", - "lineNumber": 42, - "offset": 0, - "type": "PASSWORD", - "contains": [ - { - "name": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/apid_test?)", - "type": "PASSWORD" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + ], + "resourceName": "google_compute_instance[connect]", + "fileName": "modules/confluent-platform/instances.tf", + "lineNumber": 70, + "matchContent": "resource \"google_compute_instance\" \"connect\" {", + "expected": "Attribute 'shielded_instance_config' should be defined and not null", + "found": "Attribute 'shielded_instance_config' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_instance\" \"example_instance\" {\n shielded_instance_config {\n enable_secure_boot = true\n enable_vtpm = true\n enable_integrity_monitoring = true\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null - }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Private Key", - "path": "docker-compose.yaml", - "lineNumber": 82, - "offset": 0, - "type": "PRIVATE_KEY", - "contains": [ - { - "name": "Passwords And Secrets - Private Key", - "type": "PRIVATE_KEY" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + ], + "resourceName": "google_compute_instance[control-center]", + "fileName": "modules/confluent-platform/instances.tf", + "lineNumber": 101, + "matchContent": "resource \"google_compute_instance\" \"control-center\" {", + "expected": "Attribute 'shielded_instance_config' should be defined and not null", + "found": "Attribute 'shielded_instance_config' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_instance\" \"example_instance\" {\n shielded_instance_config {\n enable_secure_boot = true\n enable_vtpm = true\n enable_integrity_monitoring = true\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null + ], + "resourceName": "google_compute_instance[intance]", + "fileName": "modules/instance/gce.tf", + "lineNumber": 1, + "matchContent": "resource \"google_compute_instance\" \"intance\" {", + "expected": "Attribute 'shielded_instance_config' should be defined and not null", + "found": "Attribute 'shielded_instance_config' is undefined or null", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_instance\" \"example_instance\" {\n shielded_instance_config {\n enable_secure_boot = true\n enable_vtpm = true\n enable_integrity_monitoring = true\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "74a9d867-3413-433a-9a6b-492bffddc8be", + "name": "Compute instance should not have a public IP address" }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Private Key", - "path": "docker-compose.yaml", - "lineNumber": 210, - "offset": 0, - "type": "PRIVATE_KEY", - "contains": [ - { - "name": "Passwords And Secrets - Private Key", - "type": "PRIVATE_KEY" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + "severity": "HIGH", + "failedResourceCount": 1, + "failedPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null } - } - ], - "details": null - }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Private Key", - "path": "docker-compose.yaml", - "lineNumber": 82, - "offset": 0, - "type": "PUBLIC_KEY", - "contains": [ - { - "name": "Passwords And Secrets - Private Key", - "type": "PUBLIC_KEY" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "matches": [ + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - } - ], - "details": null + ], + "resourceName": "google_compute_instance[intance].network_interface.access_config", + "fileName": "modules/instance/gce.tf", + "lineNumber": 22, + "matchContent": " access_config {", + "expected": "google_compute_instance[intance].network_interface should not have access_config", + "found": "google_compute_instance[intance].network_interface has access_config", + "fileType": "TERRAFORM", + "remediationInstructions": "resource \"google_compute_instance\" \"example_instance\" {\n network_interface {\n network = \"default\"\n network_ip = \"10.0.0.1\" // Private IP address\n }\n}", + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "ea94f522-7353-41d6-8884-d9e0492effd0", + "name": "Host Aliases Undefined Or Empty" }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Private Key", - "path": "docker-compose.yaml", - "lineNumber": 210, - "offset": 0, - "type": "PUBLIC_KEY", - "contains": [ - { - "name": "Passwords And Secrets - Private Key", - "type": "PUBLIC_KEY" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + "severity": "HIGH", + "failedResourceCount": 1, + "failedPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null } - } - ], - "details": null + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "matches": [ + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "metadata.name={{my-gpu-pod}}.spec", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 5, + "matchContent": "spec:", + "expected": "metadata.name=my-gpu-pod.spec.hostAliases is defined", + "found": "metadata.name=my-gpu-pod.spec.hostAliases is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "4ebd1844-f5a5-43ef-8694-5d6b0792257d", + "name": "NET_RAW Capabilities Not Being Dropped" }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Certificate for evilorg.com", - "path": "docker-compose.yaml", - "lineNumber": 239, - "offset": 0, - "type": "PUBLIC_KEY", - "contains": [ - { - "name": "Passwords And Secrets - Certificate for evilorg.com", - "type": "PUBLIC_KEY" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + "severity": "HIGH", + "failedResourceCount": 1, + "failedPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null } - } - ], - "details": null + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "matches": [ + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}", + "fileName": "states/dp/pod-for-GPU-check.yaml", + "lineNumber": 7, + "matchContent": " - name: my-gpu-container", + "expected": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.capabilities.drop should be defined", + "found": "metadata.name={{my-gpu-pod}}.spec.containers.name={{my-gpu-container}}.securityContext.capabilities.drop is undefined", + "fileType": "KUBERNETES", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + } + ] + }, + { + "rule": { + "id": "380d44e2-5672-491f-b03f-6c487e57056d", + "name": "VPC firewall rule should allow access over specific ports only" }, - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - SaaS API Key (SendGrid)", - "path": "docker-compose.yaml", - "lineNumber": 197, - "offset": 0, - "type": "SAAS_API_KEY", - "contains": [ - { - "name": "Passwords And Secrets - SaaS API Key (SendGrid)", - "type": "SAAS_API_KEY" - } - ], - "snippet": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + "severity": "HIGH", + "failedResourceCount": 5, + "failedPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null } - } - ], - "details": null - } - ], - "fileTypes": [ - "DOCKERFILE" - ] + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "matches": [ + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_compute_network[vpc]", + "fileName": "states/dev/vpc.tf", + "lineNumber": 1, + "matchContent": "resource \"google_compute_network\" \"vpc\" {", + "expected": "'google_compute_network[vpc]' should not be using a firewall rule that allows access to all ports", + "found": "'google_compute_network[vpc]' is using a firewall rule that allows access to all ports", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_compute_network[vpc]", + "fileName": "states/dp/vpc.tf", + "lineNumber": 16, + "matchContent": "resource \"google_compute_network\" \"vpc\" {", + "expected": "'google_compute_network[vpc]' should not be using a firewall rule that allows access to all ports", + "found": "'google_compute_network[vpc]' is using a firewall rule that allows access to all ports", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_compute_network[vpc]", + "fileName": "states/dwh/vpc.tf", + "lineNumber": 16, + "matchContent": "resource \"google_compute_network\" \"vpc\" {", + "expected": "'google_compute_network[vpc]' should not be using a firewall rule that allows access to all ports", + "found": "'google_compute_network[vpc]' is using a firewall rule that allows access to all ports", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_compute_network[vpc]", + "fileName": "states/sandbox/vpc.tf", + "lineNumber": 1, + "matchContent": "resource \"google_compute_network\" \"vpc\" {", + "expected": "'google_compute_network[vpc]' should not be using a firewall rule that allows access to all ports", + "found": "'google_compute_network[vpc]' is using a firewall rule that allows access to all ports", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + }, + { + "failedPolicies": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resourceName": "google_compute_network[vpc]", + "fileName": "states/test-dp-dev/vpc.tf", + "lineNumber": 6, + "matchContent": "resource \"google_compute_network\" \"vpc\" {", + "expected": "'google_compute_network[vpc]' should not be using a firewall rule that allows access to all ports", + "found": "'google_compute_network[vpc]' is using a firewall rule that allows access to all ports", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [], + "iacFinding": null + } + ] + } + ], + "scanStatistics": { + "infoMatches": 0, + "lowMatches": 131, + "mediumMatches": 252, + "highMatches": 95, + "criticalMatches": 0, + "totalMatches": 0, + "filesFound": 107, + "filesParsed": 107, + "queriesLoaded": 1485, + "queriesExecuted": 1474, + "queriesExecutionFailed": 0 }, - "reportUrl": "https://app.wiz.io/findings/cicd-scans" - } - \ No newline at end of file + "secrets": null, + "fileTypes": [ + "KUBERNETES", + "TERRAFORM" + ], + "discoveredResources": null + }, + "reportUrl": "https://app.wiz.io/findings/cicd-scans#~%2528cicd_scan~%252780018f07-b8ec-4cb0-8159-570683fb26a8%252A2c2025-05-14T10%2525%25252A3a27%2525%25252A3a08.345715984Z%2527%2529" +} diff --git a/unittests/scans/wizcli_iac/wizcli_iac_one_vul.json b/unittests/scans/wizcli_iac/wizcli_iac_one_vul.json index abdd25b385d..abeed8a2cb4 100644 --- a/unittests/scans/wizcli_iac/wizcli_iac_one_vul.json +++ b/unittests/scans/wizcli_iac/wizcli_iac_one_vul.json @@ -1,174 +1,3457 @@ { - "id": "8001e45d-5757-4106-a943-9790afe86248", - "projects": null, - "createdAt": "2024-07-17T07:42:58.585385078Z", - "startedAt": "0001-01-01T00:00:00Z", - "createdBy": { - "serviceAccount": { - "id": "12312312312312312" - } - }, - "status": { - "state": "SUCCESS", - "verdict": "WARN_BY_POLICY" - }, - "policies": [ - { - "id": "ce4872e0-ea52-463f-aad7-6ba1807062fa", - "name": "Default IaC policy", - "description": "Default built-in policy for Infrastructure as Code scanning", - "type": "IAC", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "ADMISSION_CONTROLLER" - }, - { - "enforcementMethod": "BLOCK", - "deploymentLifecycle": "CLI" - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamsiac", - "severityThreshold": "CRITICAL", - "countThreshold": 1, - "ignoredRules": null, - "validatableIgnoredRules": null, - "builtinIgnoreTagsEnabled": false, - "customIgnoreTags": null, - "securityFrameworks": null - } - }, - { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + "id": "80018f07-b8ec-4cb0-8159-570683fb26a8", + "projects": null, + "createdAt": "2025-05-14T10:27:25.982799496Z", + "startedAt": "2025-05-14T10:27:08.345715984Z", + "createdBy": { + "serviceAccount": { + "id": "hycyzczp25cxpbmp67mtt2cg4mcadi4doz2fey4y4bgrqmk5b2ugs" + } + }, + "status": { + "state": "SUCCESS", + "verdict": "FAILED_BY_POLICY" + }, + "policies": [ + { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER" + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null } - ], - "extraInfo": null, - "tags": null, - "outdatedPolicies": [], - "taggedResource": null, - "scanOriginResource": { - "__typename": "CICDScanOriginIAC", - "name": "IAC scan 2024-07-17T07:42:16Z", - "subTypes": [ - "KUBERNETES", - "CLOUD_FORMATION" - ] }, - "result": { - "__typename": "CICDIACScanResult", - "failedPolicyMatches": [ + { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } - } + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" } ], - "ruleMatches": null, - "scanStatistics": { - "infoMatches": 0, - "lowMatches": 0, - "mediumMatches": 0, - "highMatches": 0, - "criticalMatches": 0, - "totalMatches": 0, - "filesFound": 114, - "filesParsed": 74, - "queriesLoaded": 389, - "queriesExecuted": 541, - "queriesExecutionFailed": 0 - }, - "secrets": [ - { - "id": null, - "externalId": null, - "description": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "path": "docker-compose.yml", - "lineNumber": 58, - "offset": 0, - "type": "PASSWORD", - "contains": [ + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" + ], + "secretFindingSeverityThreshold": "INFORMATIONAL" + } + } + ], + "extraInfo": null, + "tags": null, + "outdatedPolicies": null, + "taggedResource": null, + "scanOriginResource": { + "__typename": "CICDScanOriginIAC", + "name": "IAC scan 2025-05-14T10:27:07Z", + "subTypes": [ + "TERRAFORM", + "KUBERNETES" + ] + }, + "result": { + "__typename": "CICDIACScanResult", + "failedPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "name": "Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", - "type": "PASSWORD" - } - ], - "snippet": "postgres://---REDACTED---@db:5432/postgres?", - "failedPolicyMatches": [ + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } - } + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } ], - "details": null - } - ], - "fileTypes": null + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "ruleMatches": [ + { + "rule": { + "id": "bd9e69dd-93a1-4122-900a-992135c62572", + "name": "Bucket usage logs should be enabled" + }, + "severity": "LOW", + "failedResourceCount": 61, + "failedPolicyMatches": [], + "matches": [ + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[elastic-snapshots]", + "fileName": "states/dev/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"elastic-snapshots\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/dev/storage.tf", + "lineNumber": 17, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[ops-filestore]", + "fileName": "states/dev/storage.tf", + "lineNumber": 24, + "matchContent": "resource \"google_storage_bucket\" \"ops-filestore\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[axi-pgbackrest]", + "fileName": "states/dev/storage.tf", + "lineNumber": 31, + "matchContent": "resource \"google_storage_bucket\" \"axi-pgbackrest\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state]", + "fileName": "states/dev/storage.tf", + "lineNumber": 56, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 85, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gitlab-runner-caches]", + "fileName": "states/dev/storage.tf", + "lineNumber": 103, + "matchContent": "resource \"google_storage_bucket\" \"gitlab-runner-caches\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 123, + "matchContent": "resource \"google_storage_bucket\" \"test-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-settlement-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 135, + "matchContent": "resource \"google_storage_bucket\" \"test-settlement-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-chat-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 147, + "matchContent": "resource \"google_storage_bucket\" \"test-chat-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mail-attachments]", + "fileName": "states/dev/storage.tf", + "lineNumber": 167, + "matchContent": "resource \"google_storage_bucket\" \"test-mail-attachments\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[public]", + "fileName": "states/dev/storage.tf", + "lineNumber": 209, + "matchContent": "resource \"google_storage_bucket\" \"public\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-withdrawals-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 221, + "matchContent": "resource \"google_storage_bucket\" \"test-withdrawals-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-ai-models]", + "fileName": "states/dev/storage.tf", + "lineNumber": 247, + "matchContent": "resource \"google_storage_bucket\" \"test-ai-models\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[sanity-dataset-exports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 259, + "matchContent": "resource \"google_storage_bucket\" \"sanity-dataset-exports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mta-sts]", + "fileName": "states/dev/storage.tf", + "lineNumber": 277, + "matchContent": "resource \"google_storage_bucket\" \"test-mta-sts\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-customer-support]", + "fileName": "states/dev/storage.tf", + "lineNumber": 289, + "matchContent": "resource \"google_storage_bucket\" \"test-customer-support\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-merchant-dashboard-files]", + "fileName": "states/dev/storage.tf", + "lineNumber": 310, + "matchContent": "resource \"google_storage_bucket\" \"test-merchant-dashboard-files\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-athens]", + "fileName": "states/dev/storage.tf", + "lineNumber": 330, + "matchContent": "resource \"google_storage_bucket\" \"test-athens\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gcp-iam-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 350, + "matchContent": "resource \"google_storage_bucket\" \"gcp-iam-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 371, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/dev/storage.tf", + "lineNumber": 386, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/dev/storage.tf", + "lineNumber": 402, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-dd-state]", + "fileName": "states/dev/storage.tf", + "lineNumber": 418, + "matchContent": "resource \"google_storage_bucket\" \"terraform-dd-state\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[merchant-reports]", + "fileName": "states/dev/storage.tf", + "lineNumber": 425, + "matchContent": "resource \"google_storage_bucket\" \"merchant-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-dev-merchant-assets]", + "fileName": "states/dev/storage.tf", + "lineNumber": 464, + "matchContent": "resource \"google_storage_bucket\" \"test-dev-merchant-assets\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-dev-tableau-1-backups]", + "fileName": "states/dev/storage.tf", + "lineNumber": 497, + "matchContent": "resource \"google_storage_bucket\" \"test-dev-tableau-1-backups\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/dev/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[elastic-snapshots]", + "fileName": "states/prod/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"elastic-snapshots\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/prod/storage.tf", + "lineNumber": 17, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state]", + "fileName": "states/prod/storage.tf", + "lineNumber": 33, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[datadog-logs-archive]", + "fileName": "states/prod/storage.tf", + "lineNumber": 45, + "matchContent": "resource \"google_storage_bucket\" \"datadog-logs-archive\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 63, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[cloud-sql-exports-multi]", + "fileName": "states/prod/storage.tf", + "lineNumber": 81, + "matchContent": "resource \"google_storage_bucket\" \"cloud-sql-exports-multi\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[fivetran]", + "fileName": "states/prod/storage.tf", + "lineNumber": 99, + "matchContent": "resource \"google_storage_bucket\" \"fivetran\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 126, + "matchContent": "resource \"google_storage_bucket\" \"test-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-settlement-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 138, + "matchContent": "resource \"google_storage_bucket\" \"test-settlement-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-chat-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 150, + "matchContent": "resource \"google_storage_bucket\" \"test-chat-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-m2p-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 170, + "matchContent": "resource \"google_storage_bucket\" \"test-m2p-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-mail-attachments]", + "fileName": "states/prod/storage.tf", + "lineNumber": 182, + "matchContent": "resource \"google_storage_bucket\" \"test-mail-attachments\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-static]", + "fileName": "states/prod/storage.tf", + "lineNumber": 204, + "matchContent": "resource \"google_storage_bucket\" \"test-static\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-withdrawals-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 216, + "matchContent": "resource \"google_storage_bucket\" \"test-withdrawals-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-ai-models]", + "fileName": "states/prod/storage.tf", + "lineNumber": 241, + "matchContent": "resource \"google_storage_bucket\" \"test-ai-models\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[sanity-dataset-exports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 253, + "matchContent": "resource \"google_storage_bucket\" \"sanity-dataset-exports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-clevertap-export]", + "fileName": "states/prod/storage.tf", + "lineNumber": 270, + "matchContent": "resource \"google_storage_bucket\" \"test-clevertap-export\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-crm]", + "fileName": "states/prod/storage.tf", + "lineNumber": 290, + "matchContent": "resource \"google_storage_bucket\" \"test-crm\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-customer-support]", + "fileName": "states/prod/storage.tf", + "lineNumber": 302, + "matchContent": "resource \"google_storage_bucket\" \"test-customer-support\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-prod-ciso-reports]", + "fileName": "states/prod/storage.tf", + "lineNumber": 324, + "matchContent": "resource \"google_storage_bucket\" \"test-prod-ciso-reports\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 336, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[gcp-iam-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 351, + "matchContent": "resource \"google_storage_bucket\" \"gcp-iam-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/prod/storage.tf", + "lineNumber": 372, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/prod/storage.tf", + "lineNumber": 388, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[test-merchant-dashboard-files]", + "fileName": "states/prod/storage.tf", + "lineNumber": 404, + "matchContent": "resource \"google_storage_bucket\" \"test-merchant-dashboard-files\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[feeds]", + "fileName": "states/prod/storage.tf", + "lineNumber": 424, + "matchContent": "resource \"google_storage_bucket\" \"feeds\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[axi-pgbackrest]", + "fileName": "states/prod/storage.tf", + "lineNumber": 445, + "matchContent": "resource \"google_storage_bucket\" \"axi-pgbackrest\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/prod/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"vault-store\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[terraform-state-backup]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 19, + "matchContent": "resource \"google_storage_bucket\" \"terraform-state-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backup]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 37, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backup\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[vault-store-backups]", + "fileName": "states/sandbox/storage.tf", + "lineNumber": 53, + "matchContent": "resource \"google_storage_bucket\" \"vault-store-backups\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + }, + { + "failedPolicies": [], + "resourceName": "google_storage_bucket[velero]", + "fileName": "states/sandbox/velero.tf", + "lineNumber": 1, + "matchContent": "resource \"google_storage_bucket\" \"velero\" {", + "expected": "'logging' should be set", + "found": "'logging' is undefined", + "fileType": "TERRAFORM", + "remediationInstructions": null, + "fileRemediation": null, + "resourceDeclaration": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ], + "iacFinding": null + } + ] + } + ], + "scanStatistics": { + "infoMatches": 0, + "lowMatches": 1, + "mediumMatches": 0, + "highMatches": 0, + "criticalMatches": 0, + "totalMatches": 0, + "filesFound": 107, + "filesParsed": 107, + "queriesLoaded": 1485, + "queriesExecuted": 1474, + "queriesExecutionFailed": 0 }, - "reportUrl": "https://app.wiz.io/findings/cicd-scans#%" - } \ No newline at end of file + "secrets": null, + "fileTypes": [ + "KUBERNETES", + "TERRAFORM" + ], + "discoveredResources": null + }, + "reportUrl": "https://app.wiz.io/findings/cicd-scans#~%2528cicd_scan~%252780018f07-b8ec-4cb0-8159-570683fb26a8%252A2c2025-05-14T10%2525%25252A3a27%2525%25252A3a08.345715984Z%2527%2529" +} diff --git a/unittests/scans/wizcli_iac/wizcli_iac_zero_vul.json b/unittests/scans/wizcli_iac/wizcli_iac_zero_vul.json index 62a2e405e7d..27d3fc32d1e 100644 --- a/unittests/scans/wizcli_iac/wizcli_iac_zero_vul.json +++ b/unittests/scans/wizcli_iac/wizcli_iac_zero_vul.json @@ -1,109 +1,152 @@ { - "id":"80015b15-ad9b-4e75-8975-963680aaccc3", - "projects":null, - "createdAt":"2024-07-17T07:19:19.187834637Z", - "startedAt":"0001-01-01T00:00:00Z", - "createdBy":{ - "serviceAccount":{ - "id":"12312312312312312" + "id": "80018f07-b8ec-4cb0-8159-570683fb26a8", + "projects": null, + "createdAt": "2025-05-14T10:27:25.982799496Z", + "startedAt": "2025-05-14T10:27:08.345715984Z", + "createdBy": { + "serviceAccount": { + "id": "hycyzczp25cxpbmp67mtt2cg4mcadi4doz2fey4y4bgrqmk5b2ugs" + } + }, + "status": { + "state": "SUCCESS", + "verdict": "FAILED_BY_POLICY" + }, + "policies": [ + { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER" + }, + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" + ], + "secretFindingSeverityThreshold": "INFORMATIONAL" } - }, - "status":{ - "state":"SUCCESS", - "verdict":"PASSED_BY_POLICY" - }, - "policies":[ + } + ], + "extraInfo": null, + "tags": null, + "outdatedPolicies": null, + "taggedResource": null, + "scanOriginResource": { + "__typename": "CICDScanOriginIAC", + "name": "IAC scan 2025-05-14T10:27:07Z", + "subTypes": [ + "TERRAFORM", + "KUBERNETES" + ] + }, + "result": { + "__typename": "CICDIACScanResult", + "failedPolicyMatches": [ { - "id":"ce4872e0-ea52-463f-aad7-6ba1807062fa", - "name":"Default IaC policy", - "description":"Default built-in policy for Infrastructure as Code scanning", - "type":"IAC", - "builtin":true, - "projects":null, - "policyLifecycleEnforcements":[ + "policy": { + "id": "9c01526d-0e05-4598-80a3-e1a5a8c6795d", + "name": "test Default IaC policy", + "description": "Default built-in policy for Infrastructure as Code scanning", + "type": "IAC", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "enforcementMethod":"AUDIT", - "deploymentLifecycle":"ADMISSION_CONTROLLER" + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "ADMISSION_CONTROLLER", + "enforcementConfig": null }, { - "enforcementMethod":"BLOCK", - "deploymentLifecycle":"CLI" + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } - ], - "ignoreRules":null, - "lifecycleTargets":null, - "Default":false, - "params":{ - "__typename":"cicdscanpolicyparamsiac", - "severityThreshold":"CRITICAL", - "countThreshold":1, - "ignoredRules":null, - "validatableIgnoredRules":null, - "builtinIgnoreTagsEnabled":false, - "customIgnoreTags":null, - "securityFrameworks":null - } - }, - { - "id":"40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name":"Default secrets policy", - "description":"Default built-in policy for secret scanning", - "type":"SECRETS", - "builtin":true, - "projects":null, - "policyLifecycleEnforcements":[ - { - "enforcementMethod":"AUDIT", - "deploymentLifecycle":"CLI" - } - ], - "ignoreRules":null, - "lifecycleTargets":null, - "Default":false, - "params":{ - "__typename":"cicdscanpolicyparamssecrets", - "countThreshold":1, - "pathAllowList":[ - - ] - } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsiac", + "severityThreshold": "HIGH", + "countThreshold": 1, + "ignoredRules": null, + "validatableIgnoredRules": null, + "builtinIgnoreTagsEnabled": false, + "customIgnoreTags": null, + "securityFrameworks": null, + "cloudConfigurationRules": null + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } - ], - "extraInfo":null, - "tags":null, - "outdatedPolicies":[ - - ], - "taggedResource":null, - "scanOriginResource":{ - "__typename":"CICDScanOriginIAC", - "name":"IAC scan 2024-07-17T07:18:31Z", - "subTypes":[ - "KUBERNETES", - "CLOUD_FORMATION" - ] - }, - "result":{ - "__typename":"CICDIACScanResult", - "failedPolicyMatches":[ - - ], - "ruleMatches":null, - "scanStatistics":{ - "infoMatches":0, - "lowMatches":0, - "mediumMatches":0, - "highMatches":0, - "criticalMatches":0, - "totalMatches":0, - "filesFound":114, - "filesParsed":74, - "queriesLoaded":389, - "queriesExecuted":541, - "queriesExecutionFailed":0 - }, - "secrets":null, - "fileTypes":null - }, - "reportUrl":"https://app.wiz.io/findings/cicd-scans" - } \ No newline at end of file + ], + "ruleMatches": null, + "scanStatistics": { + "infoMatches": 0, + "lowMatches": 0, + "mediumMatches": 0, + "highMatches": 0, + "criticalMatches": 0, + "totalMatches": 0, + "filesFound": 107, + "filesParsed": 107, + "queriesLoaded": 1485, + "queriesExecuted": 1474, + "queriesExecutionFailed": 0 + }, + "secrets": null, + "fileTypes": [ + "KUBERNETES", + "TERRAFORM" + ], + "discoveredResources": null + }, + "reportUrl": "https://app.wiz.io/findings/cicd-scans#~%2528cicd_scan~%252780018f07-b8ec-4cb0-8159-570683fb26a8%252A2c2025-05-14T10%2525%25252A3a27%2525%25252A3a08.345715984Z%2527%2529" + } + \ No newline at end of file diff --git a/unittests/scans/wizcli_img/wizcli_img_many_vul.json b/unittests/scans/wizcli_img/wizcli_img_many_vul.json index 0ff6503dda8..d97c9264a49 100644 --- a/unittests/scans/wizcli_img/wizcli_img_many_vul.json +++ b/unittests/scans/wizcli_img/wizcli_img_many_vul.json @@ -1,464 +1,3901 @@ { - "id": "800155d8-e31f-4a35-850c-a2b15c5c31dc", - "projects": null, - "createdAt": "2024-07-22T13:41:25.268449757Z", - "startedAt": "0001-01-01T00:00:00Z", - "createdBy": { - "serviceAccount": { - "id": "12312312312312312" + "id": "8001d6bd-2b30-419d-8819-a3e962c90d42", + "projects": null, + "createdAt": "2025-05-07T13:46:45.864014091Z", + "startedAt": "2025-05-07T13:46:31.95780963Z", + "createdBy": { + "serviceAccount": { + "id": "hycyzczp25cxpbmp67mtt2cg4mcadi4doz2fey4y4bgrqmk5b2ugs" + } + }, + "status": { + "state": "SUCCESS", + "verdict": "FAILED_BY_POLICY" + }, + "policies": [ + { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true } }, - "status": { - "state": "SUCCESS", - "verdict": "WARN_BY_POLICY" + { + "id": "f3393997-29e9-4d15-b490-b91f575aebef", + "name": "Default malware policy", + "description": "Default built-in policy for malware scanning", + "type": "MALWARE", + "builtin": true, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsmalware", + "malwareFindingSeverityThreshold": "HIGH", + "malwareFindingConfidenceLevelThreshold": "HIGH", + "countThreshold": 1 + } + }, + { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } }, - "policies": [ + { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" + ], + "secretFindingSeverityThreshold": "INFORMATIONAL" + } + }, + { + "id": "978a1803-2e29-42c1-832a-ddfbb836c051", + "name": "test Default sensitive data policy", + "description": "Default built-in policy for sensitive data scanning", + "type": "SENSITIVE_DATA", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssensitivedata", + "dataFindingSeverityThreshold": "", + "countThreshold": 0 + } + } + ], + "extraInfo": null, + "tags": null, + "outdatedPolicies": [], + "taggedResource": null, + "scanOriginResource": { + "__typename": "CICDScanOriginContainerImage", + "name": "registry.sss.com/test.ai/services/api/release-3-967-0:latest", + "id": null, + "digest": null, + "imageLabels": null + }, + "result": { + "__typename": "CICDDiskScanResult", + "osPackages": [ { - "id": "6b4ccd22-b76a-45d1-98cf-30165587d718", - "name": "Default vulnerabilities policy", - "description": "Default built-in policy", - "type": "VULNERABILITIES", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "BLOCK", - "deploymentLifecycle": "CLI" + "name": "curl", + "version": "7.64.0-r5", + "vulnerabilities": [ + { + "name": "CVE-2023-38039", + "severity": "MEDIUM", + "fixedVersion": null, + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2023-38039", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + } + ] + }, + { + "name": "CVE-2020-8231", + "severity": "HIGH", + "fixedVersion": "7.66.0-r5", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2020-8231", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null } ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamsvulnerabilities", - "severity": "CRITICAL", - "packageCountThreshold": 1, - "ignoreUnfixed": true, - "packageAllowList": [], - "detectionMethods": null, - "fixGracePeriodHours": 0, - "publishGracePeriodHours": 0 - } + "detectionMethod": "PACKAGE", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ] }, { - "id": "013bb6be-50b3-408e-8fbc-7a316756affc", - "name": "Default sensitive data policy", - "description": "Default built-in policy for sensitive data scanning", - "type": "SENSITIVE_DATA", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" + "name": "libcrypto1.1", + "version": "1.1.1g-r0", + "vulnerabilities": [ + { + "name": "CVE-2021-23839", + "severity": "LOW", + "fixedVersion": "1.1.1j-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2021-23839", + "description": null, + "score": 3.7, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + }, + { + "name": "CVE-2020-1971", + "severity": "MEDIUM", + "fixedVersion": "1.1.1i-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2020-1971", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + }, + { + "name": "CVE-2021-23841", + "severity": "MEDIUM", + "fixedVersion": "1.1.1j-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2021-23841", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + }, + { + "name": "CVE-2021-3449", + "severity": "MEDIUM", + "fixedVersion": "1.1.1k-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2021-3449", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + }, + { + "name": "CVE-2021-23840", + "severity": "HIGH", + "fixedVersion": "1.1.1j-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2021-23840", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null + }, + { + "name": "CVE-2021-3450", + "severity": "HIGH", + "fixedVersion": "1.1.1k-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2021-3450", + "description": null, + "score": 7.4, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null } ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssensitivedata", - "dataFindingSeverityThreshold": "", - "countThreshold": 0 - } + "detectionMethod": "PACKAGE", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ] }, { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" + "name": "libcurl", + "version": "7.64.0-r5", + "vulnerabilities": [ + { + "name": "CVE-2023-38039", + "severity": "MEDIUM", + "fixedVersion": null, + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2023-38039", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + }, + { + "name": "CVE-2020-8231", + "severity": "HIGH", + "fixedVersion": "7.66.0-r5", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2020-8231", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null } ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + "detectionMethod": "PACKAGE", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ] + }, + { + "name": "libssl1.1", + "version": "1.1.1g-r0", + "vulnerabilities": [ + { + "name": "CVE-2021-23839", + "severity": "LOW", + "fixedVersion": "1.1.1j-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2021-23839", + "description": null, + "score": 3.7, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + }, + { + "name": "CVE-2020-1971", + "severity": "MEDIUM", + "fixedVersion": "1.1.1i-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2020-1971", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + }, + { + "name": "CVE-2021-23841", + "severity": "MEDIUM", + "fixedVersion": "1.1.1j-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2021-23841", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + }, + { + "name": "CVE-2021-3449", + "severity": "MEDIUM", + "fixedVersion": "1.1.1k-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2021-3449", + "description": null, + "score": 5.9, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + }, + { + "name": "CVE-2021-23840", + "severity": "HIGH", + "fixedVersion": "1.1.1j-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2021-23840", + "description": null, + "score": 7.5, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null + }, + { + "name": "CVE-2021-3450", + "severity": "HIGH", + "fixedVersion": "1.1.1k-r0", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2021-3450", + "description": null, + "score": 7.4, + "exploitabilityScore": 2.2, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null + } + ], + "detectionMethod": "PACKAGE", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ] + }, + { + "name": "musl", + "version": "1.1.20-r5", + "vulnerabilities": [ + { + "name": "CVE-2020-28928", + "severity": "MEDIUM", + "fixedVersion": "1.1.20-r6", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2020-28928", + "description": null, + "score": 5.5, + "exploitabilityScore": 1.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + } + ], + "detectionMethod": "PACKAGE", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "musl-utils", + "version": "1.1.20-r5", + "vulnerabilities": [ + { + "name": "CVE-2020-28928", + "severity": "MEDIUM", + "fixedVersion": "1.1.20-r6", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2020-28928", + "description": null, + "score": 5.5, + "exploitabilityScore": 1.8, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + } + ], + "detectionMethod": "PACKAGE", + "layerMetadata": null, + "failedPolicyMatches": [] + }, + { + "name": "zlib", + "version": "1.2.11-r1", + "vulnerabilities": [ + { + "name": "CVE-2022-37434", + "severity": "CRITICAL", + "fixedVersion": "1.2.12-r3", + "fileRemediation": null, + "source": "https://security.alpinelinux.org/vuln/CVE-2022-37434", + "description": null, + "score": 9.8, + "exploitabilityScore": 3.9, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": true, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null + } + ], + "detectionMethod": "PACKAGE", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ] } ], - "extraInfo": null, - "tags": null, - "outdatedPolicies": [], - "taggedResource": null, - "scanOriginResource": { - "__typename": "CICDScanOriginContainerImage", - "name": "wizcli-imagescan", - "id": null, - "digest": null - }, - "result": { - "__typename": "CICDDiskScanResult", - "osPackages": [ - { - "name": "libcrypto3", - "version": "3.3.1-r0", - "vulnerabilities": [ - { - "name": "CVE-2024-5535", - "severity": "LOW", - "fixedVersion": "3.3.1-r1", - "source": "https://security.alpinelinux.org/vuln/CVE-2024-5535", - "description": null, - "score": null, - "exploitabilityScore": null, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null - } - ], - "detectionMethod": "PACKAGE", - "layerMetadata": null, - "failedPolicyMatches": [] - }, - { - "name": "libssl3", - "version": "3.3.1-r0", - "vulnerabilities": [ - { - "name": "CVE-2024-5535", - "severity": "LOW", - "fixedVersion": "3.3.1-r1", - "source": "https://security.alpinelinux.org/vuln/CVE-2024-5535", - "description": null, - "score": null, - "exploitabilityScore": null, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null - } - ], - "detectionMethod": "PACKAGE", - "layerMetadata": null, - "failedPolicyMatches": [] - } - ], - "libraries": [ - { - "name": "golang.org/x/net", - "version": "0.14.0", - "path": "/app/grpc/proto/go.mod", - "vulnerabilities": [ - { - "name": "CVE-2023-44487", - "severity": "MEDIUM", - "fixedVersion": "0.17.0", - "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", - "description": null, - "score": 7.5, - "exploitabilityScore": 3.9, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": true, - "hasCisaKevExploit": true, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null + "libraries": [ + { + "name": "golang.org/x/crypto", + "version": "0.29.0", + "path": "/app/apictl", + "startLine": null, + "endLine": null, + "vulnerabilities": [ + { + "name": "CVE-2025-22869", + "severity": "HIGH", + "fixedVersion": "0.35.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-hcg3-q754-cr77", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null + }, + { + "name": "CVE-2024-45337", + "severity": "CRITICAL", + "fixedVersion": "0.31.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-v778-237x-gjrc", + "description": null, + "score": 9.1, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } }, - { - "name": "CVE-2023-45288", - "severity": "MEDIUM", - "fixedVersion": "0.23.0", - "source": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m", - "description": null, - "score": null, - "exploitabilityScore": null, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } }, - { - "name": "CVE-2023-39325", - "severity": "HIGH", - "fixedVersion": "0.17.0", - "source": "https://github.com/advisories/GHSA-4374-p667-p6c8", - "description": null, - "score": 7.5, - "exploitabilityScore": 3.9, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null - } - ], - "detectionMethod": "LIBRARY", - "layerMetadata": null, - "failedPolicyMatches": [] - }, - { - "name": "google.golang.org/grpc", - "version": "1.48.0", - "path": "/app/grpc/proto/go.mod", - "vulnerabilities": [ - { - "name": "CVE-2023-44487", - "severity": "MEDIUM", - "fixedVersion": "1.56.3", - "source": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", - "description": null, - "score": 7.5, - "exploitabilityScore": 3.9, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": true, - "hasCisaKevExploit": true, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resolvedDependencyTree": null + }, + { + "name": "golang.org/x/net", + "version": "0.31.0", + "path": "/app/apictl", + "startLine": null, + "endLine": null, + "vulnerabilities": [ + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + } + ] + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [], + "resolvedDependencyTree": null + }, + { + "name": "github.com/gorilla/schema", + "version": "1.1.0", + "path": "/app/api", + "startLine": null, + "endLine": null, + "vulnerabilities": [ + { + "name": "CVE-2024-37298", + "severity": "HIGH", + "fixedVersion": "1.4.1", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-3669-72x9-r9p3", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resolvedDependencyTree": null + }, + { + "name": "golang.org/x/crypto", + "version": "0.29.0", + "path": "/app/api", + "startLine": null, + "endLine": null, + "vulnerabilities": [ + { + "name": "CVE-2025-22869", + "severity": "HIGH", + "fixedVersion": "0.35.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-hcg3-q754-cr77", + "description": null, + "score": 7.5, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null + }, + { + "name": "CVE-2024-45337", + "severity": "CRITICAL", + "fixedVersion": "0.31.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-v778-237x-gjrc", + "description": null, + "score": 9.1, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "finding": null, + "ignoredPolicyMatches": null + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "resolvedDependencyTree": null + }, + { + "name": "golang.org/x/net", + "version": "0.31.0", + "path": "/app/api", + "startLine": null, + "endLine": null, + "vulnerabilities": [ + { + "name": "CVE-2025-22870", + "severity": "MEDIUM", + "fixedVersion": "0.36.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-qxp5-gwg8-xv66", + "description": null, + "score": 4.4, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + }, + { + "name": "CVE-2025-22872", + "severity": "MEDIUM", + "fixedVersion": "0.38.0", + "fileRemediation": null, + "source": "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "description": null, + "score": null, + "exploitabilityScore": null, + "cvssV3Metrics": null, + "cvssV2Metrics": null, + "hasExploit": false, + "hasCisaKevExploit": false, + "cisaKevReleaseDate": null, + "cisaKevDueDate": null, + "epssProbability": null, + "epssPercentile": null, + "epssSeverity": null, + "weightedSeverity": null, + "publishDate": null, + "fixPublishDate": null, + "gracePeriodEnd": null, + "gracePeriodRemainingHours": null, + "failedPolicyMatches": null, + "finding": null, + "ignoredPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": [] + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": "BELOW_THRESHOLD", + "matchedIgnoreRules": null + } + ] + } + ], + "detectionMethod": "LIBRARY", + "layerMetadata": null, + "failedPolicyMatches": [], + "resolvedDependencyTree": null + } + ], + "applications": null, + "cpes": null, + "secrets": [ + { + "id": "fcc00ecc-249b-5723-84fc-729aca5a5a67", + "externalId": null, + "description": "GCP Service Account Key (ServiceAccount=test-dev-api-sa@testdev.iam.gserviceaccount.com)", + "path": "/app/keys/gcp.json", + "lineNumber": 5, + "offset": 141, + "type": "CLOUD_KEY", + "contains": [ + { + "name": "GCP Service Account Key (ServiceAccount=test-dev-api-sa@testdev.iam.gserviceaccount.com)", + "type": "CLOUD_KEY" + } + ], + "snippet": null, + "failedPolicyMatches": [ + { + "policy": { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" + ], + "secretFindingSeverityThreshold": "INFORMATIONAL" + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + } + ], + "hasAdminPrivileges": null, + "hasHighPrivileges": null, + "severity": "HIGH", + "relatedEntities": null, + "ignoredPolicyMatches": null, + "details": { + "__typename": "DiskScanSecretDetailsCloudKey", + "providerUniqueID": "test-dev-api-sa@testdev.iam.gserviceaccount.com", + "keyType": 3, + "isLongTerm": true + } + } + ], + "dataFindings": null, + "vulnerableSBOMArtifactsByNameVersion": null, + "hostConfiguration": { + "hostConfigurationFrameworks": null, + "hostConfigurationFindings": null, + "analytics": null + }, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "name": "GHSA-m425-mq94-257g", - "severity": "HIGH", - "fixedVersion": "1.56.3", - "source": "https://github.com/advisories/GHSA-m425-mq94-257g", - "description": null, - "score": 7.5, - "exploitabilityScore": null, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } ], - "detectionMethod": "LIBRARY", - "layerMetadata": null, - "failedPolicyMatches": [] + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } }, - { - "name": "google.golang.org/protobuf", - "version": "1.28.1", - "path": "/app/grpc/proto/go.mod", - "vulnerabilities": [ - { - "name": "CVE-2024-24786", - "severity": "MEDIUM", - "fixedVersion": "1.33.0", - "source": "https://github.com/advisories/GHSA-8r3f-844c-mc37", - "description": null, - "score": null, - "exploitabilityScore": null, - "cvssV3Metrics": null, - "cvssV2Metrics": null, - "hasExploit": false, - "hasCisaKevExploit": false, - "cisaKevReleaseDate": null, - "cisaKevDueDate": null, - "epssProbability": null, - "epssPercentile": null, - "epssSeverity": null, - "weightedSeverity": null, - "publishDate": null, - "fixPublishDate": null, - "gracePeriodEnd": null, - "gracePeriodRemainingHours": null, - "failedPolicyMatches": null, - "finding": null - } - ], - "detectionMethod": "LIBRARY", - "layerMetadata": null, - "failedPolicyMatches": [] - } - ], - "applications": null, - "cpes": null, - "secrets": [ - { - "id": null, - "externalId": null, - "description": "Password in URL (postgresql://postgres:---REDACTED---@localhost:5432/postgres?)", - "path": "/app/testing.go", - "lineNumber": 35, - "offset": 521, - "type": "PASSWORD", - "contains": [ + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "name": "Password", - "type": "PASSWORD" + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } ], - "snippet": null, - "failedPolicyMatches": [ + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } - } + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } ], - "details": { - "__typename": "DiskScanSecretDetailsPassword", - "length": 8, - "isComplex": false - } - } - ], - "dataFindings": null, - "vulnerableSBOMArtifactsByNameVersion": null, - "hostConfiguration": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + "secretFindingSeverityThreshold": "INFORMATIONAL" } - } - ], - "analytics": { - "vulnerabilities": { - "infoCount": 0, - "lowCount": 2, - "mediumCount": 4, - "highCount": 2, - "criticalCount": 0, - "unfixedCount": 0, - "totalCount": 0 }, - "secrets": { - "privateKeyCount": 0, - "publicKeyCount": 0, - "passwordCount": 1, - "certificateCount": 0, - "cloudKeyCount": 0, - "sshAuthorizedKeyCount": 0, - "dbConnectionStringCount": 0, - "gitCredentialCount": 0, - "presignedURLCount": 0, - "saasAPIKeyCount": 0, - "totalCount": 1 - }, - "hostConfiguration": null, - "filesScannedCount": 124, - "directoriesScannedCount": 116 + "ignoreReason": null, + "matchedIgnoreRules": null } + ], + "analytics": { + "vulnerabilities": { + "infoCount": 0, + "lowCount": 2, + "mediumCount": 14, + "highCount": 9, + "criticalCount": 3, + "unfixedCount": 2, + "totalCount": 28 + }, + "secrets": { + "privateKeyCount": 0, + "publicKeyCount": 0, + "passwordCount": 0, + "certificateCount": 0, + "cloudKeyCount": 1, + "sshAuthorizedKeyCount": 0, + "dbConnectionStringCount": 0, + "gitCredentialCount": 0, + "presignedURLCount": 0, + "saasAPIKeyCount": 0, + "infoCount": 0, + "lowCount": 0, + "mediumCount": 0, + "highCount": 0, + "criticalCount": 0, + "totalCount": 1 + }, + "hostConfiguration": null, + "malware": { + "infoCount": 0, + "lowCount": 0, + "mediumCount": 0, + "highCount": 0, + "criticalCount": 0, + "totalCount": 0 + }, + "softwareSupplyChain": null, + "filesScannedCount": 2666, + "directoriesScannedCount": 161 }, - "reportUrl": "https://app.wiz.io/findings/cicd-scans#" - } - \ No newline at end of file + "sbomOutput": "", + "malwares": null, + "softwareSupplyChain": null + }, + "reportUrl": "https://app.wiz.io/findings/cicd-scans#~%2528cicd_scan~%25278001d6bd-2b30-419d-8819-a3e962c90d42%252A2c2025-05-07T13%2525%25252A3a46%2525%25252A3a31.95780963Z%2527%2529" +} diff --git a/unittests/scans/wizcli_img/wizcli_img_one_vul.json b/unittests/scans/wizcli_img/wizcli_img_one_vul.json index bee033d02c4..5ce319bdab7 100644 --- a/unittests/scans/wizcli_img/wizcli_img_one_vul.json +++ b/unittests/scans/wizcli_img/wizcli_img_one_vul.json @@ -1,214 +1,387 @@ { - "id": "800177c8-2478-4371-87a3-484da1acce1c", - "projects": null, - "createdAt": "2024-07-22T14:50:26.600849032Z", - "startedAt": "0001-01-01T00:00:00Z", - "createdBy": { - "serviceAccount": { - "id": "12312312312312312" + "id": "8001d6bd-2b30-419d-8819-a3e962c90d42", + "projects": null, + "createdAt": "2025-05-07T13:46:45.864014091Z", + "startedAt": "2025-05-07T13:46:31.95780963Z", + "createdBy": { + "serviceAccount": { + "id": "hycyzczp25cxpbmp67mtt2cg4mcadi4doz2fey4y4bgrqmk5b2ugs" + } + }, + "status": { + "state": "SUCCESS", + "verdict": "FAILED_BY_POLICY" + }, + "policies": [ + { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + { + "id": "f3393997-29e9-4d15-b490-b91f575aebef", + "name": "Default malware policy", + "description": "Default built-in policy for malware scanning", + "type": "MALWARE", + "builtin": true, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsmalware", + "malwareFindingSeverityThreshold": "HIGH", + "malwareFindingConfidenceLevelThreshold": "HIGH", + "countThreshold": 1 } }, - "status": { - "state": "SUCCESS", - "verdict": "WARN_BY_POLICY" + { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } }, - "policies": [ - { - "id": "6b4ccd22-b76a-45d1-98cf-30165587d718", - "name": "Default vulnerabilities policy", - "description": "Default built-in policy", - "type": "VULNERABILITIES", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "BLOCK", - "deploymentLifecycle": "CLI" - } + { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamsvulnerabilities", - "severity": "CRITICAL", - "packageCountThreshold": 1, - "ignoreUnfixed": true, - "packageAllowList": [], - "detectionMethods": null, - "fixGracePeriodHours": 0, - "publishGracePeriodHours": 0 + "secretFindingSeverityThreshold": "INFORMATIONAL" + } + }, + { + "id": "978a1803-2e29-42c1-832a-ddfbb836c051", + "name": "test Default sensitive data policy", + "description": "Default built-in policy for sensitive data scanning", + "type": "SENSITIVE_DATA", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "CLI" } - }, + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssensitivedata", + "dataFindingSeverityThreshold": "", + "countThreshold": 0 + } + } + ], + "extraInfo": null, + "tags": null, + "outdatedPolicies": [], + "taggedResource": null, + "scanOriginResource": { + "__typename": "CICDScanOriginContainerImage", + "name": "registry.sss.com/test.ai/services/api/release-3-967-0:latest", + "id": null, + "digest": null, + "imageLabels": null + }, + "result": { + "__typename": "CICDDiskScanResult", + "osPackages": null, + "libraries": null, + "applications": null, + "cpes": null, + "secrets": [ { - "id": "013bb6be-50b3-408e-8fbc-7a316756affc", - "name": "Default sensitive data policy", - "description": "Default built-in policy for sensitive data scanning", - "type": "SENSITIVE_DATA", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ + "id": "fcc00ecc-249b-5723-84fc-729aca5a5a67", + "externalId": null, + "description": "GCP Service Account Key (ServiceAccount=test-dev-api-sa@testdev.iam.gserviceaccount.com)", + "path": "/app/keys/gcp.json", + "lineNumber": 5, + "offset": 141, + "type": "CLOUD_KEY", + "contains": [ { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" + "name": "GCP Service Account Key (ServiceAccount=test-dev-api-sa@testdev.iam.gserviceaccount.com)", + "type": "CLOUD_KEY" } ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssensitivedata", - "dataFindingSeverityThreshold": "", - "countThreshold": 0 - } - }, - { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ + "snippet": null, + "failedPolicyMatches": [ { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" + "policy": { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" + ], + "secretFindingSeverityThreshold": "INFORMATIONAL" + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + "hasAdminPrivileges": null, + "hasHighPrivileges": null, + "severity": "HIGH", + "relatedEntities": null, + "ignoredPolicyMatches": null, + "details": { + "__typename": "DiskScanSecretDetailsCloudKey", + "providerUniqueID": "test-dev-api-sa@testdev.iam.gserviceaccount.com", + "keyType": 3, + "isLongTerm": true } } ], - "extraInfo": null, - "tags": null, - "outdatedPolicies": [], - "taggedResource": null, - "scanOriginResource": { - "__typename": "CICDScanOriginContainerImage", - "name": "wizcli-imagescan", - "id": null, - "digest": null + "dataFindings": null, + "vulnerableSBOMArtifactsByNameVersion": null, + "hostConfiguration": { + "hostConfigurationFrameworks": null, + "hostConfigurationFindings": null, + "analytics": null }, - "result": { - "__typename": "CICDDiskScanResult", - "osPackages": null, - "libraries": null, - "applications": null, - "cpes": null, - "secrets": [ - { - "id": null, - "externalId": null, - "description": "Password in URL (postgresql://postgres:---REDACTED---@localhost:5432/postgres?)", - "path": "/app/testing.go", - "lineNumber": 35, - "offset": 521, - "type": "PASSWORD", - "contains": [ + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "name": "Password", - "type": "PASSWORD" + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } ], - "snippet": null, - "failedPolicyMatches": [ + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } - } + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } ], - "details": { - "__typename": "DiskScanSecretDetailsPassword", - "length": 8, - "isComplex": false + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true } - } - ], - "dataFindings": null, - "vulnerableSBOMArtifactsByNameVersion": null, - "hostConfiguration": null, - "failedPolicyMatches": [ - { - "policy": { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI", - "enforcementConfig": null - } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] + }, + "ignoreReason": null, + "matchedIgnoreRules": null + }, + { + "policy": { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" + ], + "secretFindingSeverityThreshold": "INFORMATIONAL" } - } - ], - "analytics": { - "vulnerabilities": { - "infoCount": 0, - "lowCount": 0, - "mediumCount": 0, - "highCount": 0, - "criticalCount": 0, - "unfixedCount": 0, - "totalCount": 0 - }, - "secrets": { - "privateKeyCount": 0, - "publicKeyCount": 0, - "passwordCount": 1, - "certificateCount": 0, - "cloudKeyCount": 0, - "sshAuthorizedKeyCount": 0, - "dbConnectionStringCount": 0, - "gitCredentialCount": 0, - "presignedURLCount": 0, - "saasAPIKeyCount": 0, - "totalCount": 1 }, - "hostConfiguration": null, - "filesScannedCount": 122, - "directoriesScannedCount": 116 + "ignoreReason": null, + "matchedIgnoreRules": null } + ], + "analytics": { + "vulnerabilities": { + "infoCount": 0, + "lowCount": 2, + "mediumCount": 14, + "highCount": 9, + "criticalCount": 3, + "unfixedCount": 2, + "totalCount": 28 + }, + "secrets": { + "privateKeyCount": 0, + "publicKeyCount": 0, + "passwordCount": 0, + "certificateCount": 0, + "cloudKeyCount": 1, + "sshAuthorizedKeyCount": 0, + "dbConnectionStringCount": 0, + "gitCredentialCount": 0, + "presignedURLCount": 0, + "saasAPIKeyCount": 0, + "infoCount": 0, + "lowCount": 0, + "mediumCount": 0, + "highCount": 0, + "criticalCount": 0, + "totalCount": 1 + }, + "hostConfiguration": null, + "malware": { + "infoCount": 0, + "lowCount": 0, + "mediumCount": 0, + "highCount": 0, + "criticalCount": 0, + "totalCount": 0 + }, + "softwareSupplyChain": null, + "filesScannedCount": 2666, + "directoriesScannedCount": 161 }, - "reportUrl": "https://app.wiz.io/findings/cicd-scans#" - } - \ No newline at end of file + "sbomOutput": "", + "malwares": null, + "softwareSupplyChain": null + }, + "reportUrl": "https://app.wiz.io/findings/cicd-scans#~%2528cicd_scan~%25278001d6bd-2b30-419d-8819-a3e962c90d42%252A2c2025-05-07T13%2525%25252A3a46%2525%25252A3a31.95780963Z%2527%2529" +} diff --git a/unittests/scans/wizcli_img/wizcli_img_zero_vul.json b/unittests/scans/wizcli_img/wizcli_img_zero_vul.json index 5867eb78fc1..d57748bc9a4 100644 --- a/unittests/scans/wizcli_img/wizcli_img_zero_vul.json +++ b/unittests/scans/wizcli_img/wizcli_img_zero_vul.json @@ -1,139 +1,326 @@ { - "id": "80013635-9dd5-4842-9591-5ec69b58b0d2", - "projects": null, - "createdAt": "2024-07-22T14:52:13.235118911Z", - "startedAt": "0001-01-01T00:00:00Z", - "createdBy": { - "serviceAccount": { - "id": "12312312312312312" + "id": "8001d6bd-2b30-419d-8819-a3e962c90d42", + "projects": null, + "createdAt": "2025-05-07T13:46:45.864014091Z", + "startedAt": "2025-05-07T13:46:31.95780963Z", + "createdBy": { + "serviceAccount": { + "id": "hycyzczp25cxpbmp67mtt2cg4mcadi4doz2fey4y4bgrqmk5b2ugs" + } + }, + "status": { + "state": "SUCCESS", + "verdict": "FAILED_BY_POLICY" + }, + "policies": [ + { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true } }, - "status": { - "state": "SUCCESS", - "verdict": "PASSED_BY_POLICY" + { + "id": "f3393997-29e9-4d15-b490-b91f575aebef", + "name": "Default malware policy", + "description": "Default built-in policy for malware scanning", + "type": "MALWARE", + "builtin": true, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsmalware", + "malwareFindingSeverityThreshold": "HIGH", + "malwareFindingConfidenceLevelThreshold": "HIGH", + "countThreshold": 1 + } }, - "policies": [ - { - "id": "6b4ccd22-b76a-45d1-98cf-30165587d718", - "name": "Default vulnerabilities policy", - "description": "Default built-in policy", - "type": "VULNERABILITIES", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "BLOCK", - "deploymentLifecycle": "CLI" - } + { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI" + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamsvulnerabilities", - "severity": "CRITICAL", - "packageCountThreshold": 1, - "ignoreUnfixed": true, - "packageAllowList": [], - "detectionMethods": null, - "fixGracePeriodHours": 0, - "publishGracePeriodHours": 0 + "secretFindingSeverityThreshold": "INFORMATIONAL" + } + }, + { + "id": "978a1803-2e29-42c1-832a-ddfbb836c051", + "name": "test Default sensitive data policy", + "description": "Default built-in policy for sensitive data scanning", + "type": "SENSITIVE_DATA", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "AUDIT", + "deploymentLifecycle": "CLI" } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssensitivedata", + "dataFindingSeverityThreshold": "", + "countThreshold": 0 + } + } + ], + "extraInfo": null, + "tags": null, + "outdatedPolicies": [], + "taggedResource": null, + "scanOriginResource": { + "__typename": "CICDScanOriginContainerImage", + "name": "registry.sss.com/test.ai/services/api/release-3-967-0:latest", + "id": null, + "digest": null, + "imageLabels": null + }, + "result": { + "__typename": "CICDDiskScanResult", + "osPackages": null, + "libraries": null, + "applications": null, + "cpes": null, + "secrets": null, + "dataFindings": null, + "vulnerableSBOMArtifactsByNameVersion": null, + "hostConfiguration": { + "hostConfigurationFrameworks": null, + "hostConfigurationFindings": null, + "analytics": null + }, + "failedPolicyMatches": [ + { + "policy": { + "id": "9bf73b16-99e7-4a54-af1e-dcfa1436a8f2", + "name": "test Default vulnerabilities policy ( Updated )", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [ + "PACKAGE", + "LIBRARY", + "FILE_PATH" + ], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true + } + }, + "ignoreReason": null, + "matchedIgnoreRules": null }, { - "id": "013bb6be-50b3-408e-8fbc-7a316756affc", - "name": "Default sensitive data policy", - "description": "Default built-in policy for sensitive data scanning", - "type": "SENSITIVE_DATA", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" + "policy": { + "id": "9c6726d0-1ada-4541-b6d6-3da5ca1124f9", + "name": "test Default vulnerabilities policy", + "description": "Default built-in policy", + "type": "VULNERABILITIES", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamsvulnerabilities", + "severity": "HIGH", + "packageCountThreshold": 1, + "ignoreUnfixed": true, + "packageAllowList": [], + "detectionMethods": [], + "vulnerabilities": [], + "fixGracePeriodHours": 0, + "publishGracePeriodHours": 0, + "ignoreTransitiveVulnerabilities": true } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssensitivedata", - "dataFindingSeverityThreshold": "", - "countThreshold": 0 - } + }, + "ignoreReason": null, + "matchedIgnoreRules": null }, { - "id": "40b3e31c-9b23-47cd-8b83-eb062d04250e", - "name": "Default secrets policy", - "description": "Default built-in policy for secret scanning", - "type": "SECRETS", - "builtin": true, - "projects": null, - "policyLifecycleEnforcements": [ - { - "enforcementMethod": "AUDIT", - "deploymentLifecycle": "CLI" + "policy": { + "id": "5a03dfb5-99ff-49b6-8a48-a9b65b13bf9a", + "name": "test Default secrets policy", + "description": "Default built-in policy for secret scanning", + "type": "SECRETS", + "builtin": false, + "projects": null, + "policyLifecycleEnforcements": [ + { + "enforcementMethod": "BLOCK", + "deploymentLifecycle": "CLI", + "enforcementConfig": null + } + ], + "ignoreRules": null, + "lifecycleTargets": null, + "Default": false, + "params": { + "__typename": "cicdscanpolicyparamssecrets", + "countThreshold": 1, + "pathAllowList": [ + "/.git/config", + ".git/config" + ], + "secretFindingSeverityThreshold": "INFORMATIONAL" } - ], - "ignoreRules": null, - "lifecycleTargets": null, - "Default": false, - "params": { - "__typename": "cicdscanpolicyparamssecrets", - "countThreshold": 1, - "pathAllowList": [] - } + }, + "ignoreReason": null, + "matchedIgnoreRules": null } ], - "extraInfo": null, - "tags": null, - "outdatedPolicies": [], - "taggedResource": null, - "scanOriginResource": { - "__typename": "CICDScanOriginContainerImage", - "name": "wizcli-imagescan", - "id": null, - "digest": null - }, - "result": { - "__typename": "CICDDiskScanResult", - "osPackages": null, - "libraries": null, - "applications": null, - "cpes": null, - "secrets": null, - "dataFindings": null, - "vulnerableSBOMArtifactsByNameVersion": null, + "analytics": { + "vulnerabilities": { + "infoCount": 0, + "lowCount": 2, + "mediumCount": 14, + "highCount": 9, + "criticalCount": 3, + "unfixedCount": 2, + "totalCount": 28 + }, + "secrets": { + "privateKeyCount": 0, + "publicKeyCount": 0, + "passwordCount": 0, + "certificateCount": 0, + "cloudKeyCount": 1, + "sshAuthorizedKeyCount": 0, + "dbConnectionStringCount": 0, + "gitCredentialCount": 0, + "presignedURLCount": 0, + "saasAPIKeyCount": 0, + "infoCount": 0, + "lowCount": 0, + "mediumCount": 0, + "highCount": 0, + "criticalCount": 0, + "totalCount": 1 + }, "hostConfiguration": null, - "failedPolicyMatches": [], - "analytics": { - "vulnerabilities": { - "infoCount": 0, - "lowCount": 0, - "mediumCount": 0, - "highCount": 0, - "criticalCount": 0, - "unfixedCount": 0, - "totalCount": 0 - }, - "secrets": { - "privateKeyCount": 0, - "publicKeyCount": 0, - "passwordCount": 0, - "certificateCount": 0, - "cloudKeyCount": 0, - "sshAuthorizedKeyCount": 0, - "dbConnectionStringCount": 0, - "gitCredentialCount": 0, - "presignedURLCount": 0, - "saasAPIKeyCount": 0, - "totalCount": 0 - }, - "hostConfiguration": null, - "filesScannedCount": 121, - "directoriesScannedCount": 116 - } + "malware": { + "infoCount": 0, + "lowCount": 0, + "mediumCount": 0, + "highCount": 0, + "criticalCount": 0, + "totalCount": 0 + }, + "softwareSupplyChain": null, + "filesScannedCount": 2666, + "directoriesScannedCount": 161 }, - "reportUrl": "https://app.wiz.io/findings/cicd-scans" - } - \ No newline at end of file + "sbomOutput": "", + "malwares": null, + "softwareSupplyChain": null + }, + "reportUrl": "https://app.wiz.io/findings/cicd-scans#~%2528cicd_scan~%25278001d6bd-2b30-419d-8819-a3e962c90d42%252A2c2025-05-07T13%2525%25252A3a46%2525%25252A3a31.95780963Z%2527%2529" +} From b135abf496319d9cce054b2a3ce27bbd4066fc1d Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Mon, 2 Jun 2025 15:49:18 +0500 Subject: [PATCH 08/27] updated unit test to reflect latest cahnges in the parser --- unittests/tools/test_wizcli_dir_parser.py | 92 ++++++++++++----------- unittests/tools/test_wizcli_iac_parser.py | 74 +++++++++++------- unittests/tools/test_wizcli_img_parser.py | 69 +++++++++-------- 3 files changed, 132 insertions(+), 103 deletions(-) diff --git a/unittests/tools/test_wizcli_dir_parser.py b/unittests/tools/test_wizcli_dir_parser.py index 9802fd27c36..d79880d698b 100644 --- a/unittests/tools/test_wizcli_dir_parser.py +++ b/unittests/tools/test_wizcli_dir_parser.py @@ -16,64 +16,68 @@ def test_one_findings(self): findings = parser.get_findings(testfile, Test()) self.assertEqual(1, len(findings)) finding = findings[0] - self.assertEqual("google.golang.org/protobuf - CVE-2024-24786", finding.title) - self.assertEqual("Medium", finding.severity) - self.assertEqual("/grpc/proto/go.mod", finding.file_path) + self.assertEqual("github.com/golang-jwt/jwt/v4 4.5.1 - CVE-2025-30204", finding.title) + self.assertEqual("High", finding.severity) + self.assertEqual("/settlements/go.mod", finding.file_path) self.assertIn( - "**Library Name**: google.golang.org/protobuf\n" - "**Library Version**: 1.28.1\n" - "**Library Path**: /grpc/proto/go.mod\n" - "**Vulnerability Name**: CVE-2024-24786\n" - "**Fixed Version**: 1.33.0\n" - "**Source**: https://github.com/advisories/GHSA-8r3f-844c-mc37\n" - "**Description**: None\n" - "**Score**: None\n" - "**Exploitability Score**: None\n" - "**Has Exploit**: False\n" - "**Has CISA KEV Exploit**: False\n", + "**Vulnerability**: `CVE-2025-30204`\n" + "**Severity**: High\n" + "**Library**: `github.com/golang-jwt/jwt/v4`\n" + "**Version**: `4.5.1`\n" + "**Path/Manifest**: `/settlements/go.mod`\n" + "**Fixed Version**: 4.5.2\n" + "**Source**: https://github.com/advisories/GHSA-mh63-6h87-95cp\n" + "**Has Exploit (Known)**: False\n" + "**In CISA KEV**: False", finding.description, ) + self.assertEqual("Update `github.com/golang-jwt/jwt/v4` to version `4.5.2` or later in path/manifest `/settlements/go.mod`.", finding.mitigation) + self.assertEqual("CVE-2025-30204", finding.cve) + self.assertEqual("https://github.com/advisories/GHSA-mh63-6h87-95cp", finding.references) + self.assertTrue(finding.static_finding) + self.assertFalse(finding.dynamic_finding) + self.assertTrue(finding.active) def test_multiple_findings(self): with (get_unit_tests_scans_path("wizcli_dir") / "wizcli_dir_many_vul.json").open(encoding="utf-8") as testfile: parser = WizcliDirParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(7, len(findings)) + + # Test first finding finding = findings[0] - self.assertEqual("golang.org/x/net - CVE-2023-44487", finding.title) - self.assertEqual("Medium", finding.severity) - self.assertEqual("/grpc/proto/go.mod", finding.file_path) + self.assertEqual("github.com/golang-jwt/jwt/v4 4.5.1 - CVE-2025-30204", finding.title) + self.assertEqual("High", finding.severity) + self.assertEqual("/settlements/go.mod", finding.file_path) self.assertIn( - "**Library Name**: golang.org/x/net\n" - "**Library Version**: 0.14.0\n" - "**Library Path**: /grpc/proto/go.mod\n" - "**Vulnerability Name**: CVE-2023-44487\n" - "**Fixed Version**: 0.17.0\n" - "**Source**: https://github.com/advisories/GHSA-qppj-fm5r-hxr3\n" - "**Description**: None\n" - "**Score**: 7.5\n" - "**Exploitability Score**: 3.9\n" - "**Has Exploit**: True\n" - "**Has CISA KEV Exploit**: True\n", + "**Vulnerability**: `CVE-2025-30204`\n" + "**Severity**: High\n" + "**Library**: `github.com/golang-jwt/jwt/v4`\n" + "**Version**: `4.5.1`\n" + "**Path/Manifest**: `/settlements/go.mod`\n" + "**Fixed Version**: 4.5.2\n" + "**Source**: https://github.com/advisories/GHSA-mh63-6h87-95cp", finding.description, ) - + self.assertEqual("CVE-2025-30204", finding.cve) + self.assertEqual("https://github.com/advisories/GHSA-mh63-6h87-95cp", finding.references) + + # Test second finding finding = findings[1] - self.assertEqual("golang.org/x/net - CVE-2023-45288", finding.title) - self.assertEqual("Medium", finding.severity) - self.assertEqual("/grpc/proto/go.mod", finding.file_path) - self.assertEqual(None, finding.line) + self.assertEqual("github.com/golang-jwt/jwt/v5 5.2.1 - CVE-2025-30204", finding.title) + self.assertEqual("High", finding.severity) + self.assertEqual("/settlements/go.mod", finding.file_path) self.assertIn( - "**Library Name**: golang.org/x/net\n" - "**Library Version**: 0.14.0\n" - "**Library Path**: /grpc/proto/go.mod\n" - "**Vulnerability Name**: CVE-2023-45288\n" - "**Fixed Version**: 0.23.0\n" - "**Source**: https://github.com/advisories/GHSA-4v7x-pqxf-cx7m\n" - "**Description**: None\n" - "**Score**: None\n" - "**Exploitability Score**: None\n" - "**Has Exploit**: False\n" - "**Has CISA KEV Exploit**: False\n", + "**Vulnerability**: `CVE-2025-30204`\n" + "**Severity**: High\n" + "**Library**: `github.com/golang-jwt/jwt/v5`\n" + "**Version**: `5.2.1`\n" + "**Path/Manifest**: `/settlements/go.mod`\n" + "**Fixed Version**: 5.2.2\n" + "**Source**: https://github.com/advisories/GHSA-mh63-6h87-95cp", finding.description, ) + self.assertEqual("CVE-2025-30204", finding.cve) + self.assertTrue(finding.static_finding) + self.assertFalse(finding.dynamic_finding) + self.assertTrue(finding.active) diff --git a/unittests/tools/test_wizcli_iac_parser.py b/unittests/tools/test_wizcli_iac_parser.py index ccfaa85bcb6..d988e72dc99 100644 --- a/unittests/tools/test_wizcli_iac_parser.py +++ b/unittests/tools/test_wizcli_iac_parser.py @@ -17,47 +17,64 @@ def test_one_findings(self): self.assertEqual(1, len(findings)) finding = findings[0] self.assertEqual( - "Secret: Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)", + "Bucket usage logs should be enabled - google_storage_bucket[elastic-snapshots]", finding.title, ) - self.assertEqual("High", finding.severity) - self.assertEqual("docker-compose.yml", finding.file_path) - self.assertEqual(58, finding.line) + self.assertEqual("Low", finding.severity) + self.assertEqual("states/dev/storage.tf", finding.file_path) + self.assertEqual(1, finding.line) self.assertIn( - "**Secret ID**: None\n" - "**Description**: Passwords And Secrets - Password in URL (postgres://postgres:---REDACTED---@db:5432/postgres?)\n" - "**File Name**: docker-compose.yml\n" - "**Line Number**: 58\n" - "**Match Content**: PASSWORD\n", + "**Rule**: Bucket usage logs should be enabled (ID: `bd9e69dd-93a1-4122-900a-992135c62572`)\n" + "**Severity**: Low\n" + "**Resource**: `google_storage_bucket[elastic-snapshots]`\n" + "**File**: `states/dev/storage.tf`\n" + "**Line**: 1\n" + "**Code Snippet**: ```\nresource \"google_storage_bucket\" \"elastic-snapshots\" {\n```\n" + "\n**Finding Details**:\n" + "- **Expected**: 'logging' should be set\n" + "- **Found**: 'logging' is undefined\n" + "- **File Type**: TERRAFORM", finding.description, ) + self.assertTrue(finding.static_finding) + self.assertFalse(finding.dynamic_finding) + self.assertTrue(finding.active) + self.assertEqual("bd9e69dd-93a1-4122-900a-992135c62572", finding.vuln_id_from_tool) def test_multiple_findings(self): with (get_unit_tests_scans_path("wizcli_iac") / "wizcli_iac_many_vul.json").open(encoding="utf-8") as testfile: parser = WizcliIaCParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(25, len(findings)) + + # Test first finding finding = findings[0] self.assertEqual( "Apk Add Using Local Cache Path - FROM={{registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest as builder}}.{{RUN apk add --update make git musl-dev gcc}}", finding.title, ) - self.assertEqual("Informational", finding.severity) + self.assertEqual("Info", finding.severity) self.assertEqual("Dockerfile", finding.file_path) self.assertEqual(8, finding.line) self.assertIn( - "**Rule ID**: 4ac84116-456f-4d60-9e12-187607266faf\n" - "**Rule Name**: Apk Add Using Local Cache Path\n" - "**Resource Name**: FROM={{registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest as builder}}.{{RUN apk add --update make git musl-dev gcc}}\n" - "**File Name**: Dockerfile\n" - "**Line Number**: 8\n" - "**Match Content**: RUN apk add --update make git musl-dev gcc\n" - "**Expected**: 'RUN' should not contain 'apk add' command without '--no-cache' switch\n" - "**Found**: 'RUN' contains 'apk add' command without '--no-cache' switch\n" - "**File Type**: DOCKERFILE\n", + "**Rule**: Apk Add Using Local Cache Path (ID: `4ac84116-456f-4d60-9e12-187607266faf`)\n" + "**Severity**: Info\n" + "**Resource**: `FROM={{registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest as builder}}.{{RUN apk add --update make git musl-dev gcc}}`\n" + "**File**: `Dockerfile`\n" + "**Line**: 8\n" + "**Code Snippet**: ```\nRUN apk add --update make git musl-dev gcc\n```\n" + "\n**Finding Details**:\n" + "- **Expected**: 'RUN' should not contain 'apk add' command without '--no-cache' switch\n" + "- **Found**: 'RUN' contains 'apk add' command without '--no-cache' switch\n" + "- **File Type**: DOCKERFILE", finding.description, ) + self.assertTrue(finding.static_finding) + self.assertFalse(finding.dynamic_finding) + self.assertTrue(finding.active) + self.assertEqual("4ac84116-456f-4d60-9e12-187607266faf", finding.vuln_id_from_tool) + # Test second finding finding = findings[1] self.assertEqual( "Healthcheck Instruction Missing - FROM={{registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest}}", @@ -67,14 +84,15 @@ def test_multiple_findings(self): self.assertEqual("Dockerfile", finding.file_path) self.assertEqual(58, finding.line) self.assertIn( - "**Rule ID**: ab1043e3-1eeb-4e38-9ca9-7ec0e99fe2ba\n" - "**Rule Name**: Healthcheck Instruction Missing\n" - "**Resource Name**: FROM={{registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest}}\n" - "**File Name**: Dockerfile\n" - "**Line Number**: 58\n" - "**Match Content**: FROM registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest\n" - "**Expected**: Dockerfile should contain instruction 'HEALTHCHECK'\n" - "**Found**: Dockerfile doesn't contain instruction 'HEALTHCHECK'\n" - "**File Type**: DOCKERFILE\n", + "**Rule**: Healthcheck Instruction Missing (ID: `ab1043e3-1eeb-4e38-9ca9-7ec0e99fe2ba`)\n" + "**Severity**: Low\n" + "**Resource**: `FROM={{registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest}}`\n" + "**File**: `Dockerfile`\n" + "**Line**: 58\n" + "**Code Snippet**: ```\nFROM registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest\n```\n" + "\n**Finding Details**:\n" + "- **Expected**: Dockerfile should contain instruction 'HEALTHCHECK'\n" + "- **Found**: Dockerfile doesn't contain instruction 'HEALTHCHECK'\n" + "- **File Type**: DOCKERFILE", finding.description, ) diff --git a/unittests/tools/test_wizcli_img_parser.py b/unittests/tools/test_wizcli_img_parser.py index 94f2048a51b..019bf5d8591 100644 --- a/unittests/tools/test_wizcli_img_parser.py +++ b/unittests/tools/test_wizcli_img_parser.py @@ -17,57 +17,64 @@ def test_one_findings(self): self.assertEqual(1, len(findings)) finding = findings[0] self.assertEqual( - "Secret: Password in URL (postgresql://postgres:---REDACTED---@localhost:5432/postgres?)", finding.title, + "Secret Detected: GCP Service Account Key (ServiceAccount=test-dev-api-sa@testdev.iam.gserviceaccount.com) (CLOUD_KEY)", + finding.title, ) self.assertEqual("High", finding.severity) - self.assertEqual("/app/testing.go", finding.file_path) + self.assertEqual("/app/keys/gcp.json", finding.file_path) + self.assertEqual(5, finding.line) self.assertIn( - "**Secret ID**: None\n" - "**Description**: Password in URL (postgresql://postgres:---REDACTED---@localhost:5432/postgres?)\n" - "**File Name**: /app/testing.go\n" - "**Line Number**: 35\n" - "**Match Content**: PASSWORD\n", + "**Type**: `CLOUD_KEY`\n" + "**Description**: GCP Service Account Key (ServiceAccount=test-dev-api-sa@testdev.iam.gserviceaccount.com)\n" + "**File**: `/app/keys/gcp.json`\n" + "**Line**: 5", finding.description, ) + self.assertTrue(finding.static_finding) + self.assertFalse(finding.dynamic_finding) + self.assertTrue(finding.active) def test_multiple_findings(self): with (get_unit_tests_scans_path("wizcli_img") / "wizcli_img_many_vul.json").open(encoding="utf-8") as testfile: parser = WizcliImgParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(9, len(findings)) + + # Test first finding finding = findings[0] - self.assertEqual("libcrypto3 - CVE-2024-5535", finding.title) + self.assertEqual("OS Pkg: libcrypto3 3.3.1-r0 - CVE-2024-5535", finding.title) self.assertEqual("Low", finding.severity) - self.assertEqual(None, finding.file_path) + self.assertIsNone(finding.file_path) self.assertIn( - "**OS Package Name**: libcrypto3\n" - "**OS Package Version**: 3.3.1-r0\n" - "**Vulnerability Name**: CVE-2024-5535\n" + "**Vulnerability**: `CVE-2024-5535`\n" + "**Severity**: Low\n" + "**OS Package**: `libcrypto3`\n" + "**Version**: `3.3.1-r0`\n" "**Fixed Version**: 3.3.1-r1\n" - "**Source**: https://security.alpinelinux.org/vuln/CVE-2024-5535\n" - "**Description**: None\n" - "**Score**: None\n" - "**Exploitability Score**: None\n" - "**Has Exploit**: False\n" - "**Has CISA KEV Exploit**: False\n", + "**Source**: https://security.alpinelinux.org/vuln/CVE-2024-5535", finding.description, ) - + self.assertEqual("CVE-2024-5535", finding.cve) + self.assertEqual("https://security.alpinelinux.org/vuln/CVE-2024-5535", finding.references) + self.assertTrue(finding.static_finding) + self.assertFalse(finding.dynamic_finding) + self.assertTrue(finding.active) + + # Test second finding finding = findings[1] - self.assertEqual("libssl3 - CVE-2024-5535", finding.title) + self.assertEqual("OS Pkg: libssl3 3.3.1-r0 - CVE-2024-5535", finding.title) self.assertEqual("Low", finding.severity) - self.assertEqual(None, finding.file_path) - self.assertEqual(None, finding.line) + self.assertIsNone(finding.file_path) self.assertIn( - "**OS Package Name**: libssl3\n" - "**OS Package Version**: 3.3.1-r0\n" - "**Vulnerability Name**: CVE-2024-5535\n" + "**Vulnerability**: `CVE-2024-5535`\n" + "**Severity**: Low\n" + "**OS Package**: `libssl3`\n" + "**Version**: `3.3.1-r0`\n" "**Fixed Version**: 3.3.1-r1\n" - "**Source**: https://security.alpinelinux.org/vuln/CVE-2024-5535\n" - "**Description**: None\n" - "**Score**: None\n" - "**Exploitability Score**: None\n" - "**Has Exploit**: False\n" - "**Has CISA KEV Exploit**: False\n", + "**Source**: https://security.alpinelinux.org/vuln/CVE-2024-5535", finding.description, ) + self.assertEqual("CVE-2024-5535", finding.cve) + self.assertTrue(finding.static_finding) + self.assertFalse(finding.dynamic_finding) + self.assertTrue(finding.active) From 974715f9e4ac73f45c3170be075d3c942f7c82e3 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Mon, 2 Jun 2025 16:17:31 +0500 Subject: [PATCH 09/27] switched dedp algo to HASH_CODE for wizcli --- dojo/settings/settings.dist.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index faf65902f45..ab1b0323323 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1591,9 +1591,9 @@ def saml2_attrib_map_format(din): "Kubescape JSON Importer": DEDUPE_ALGO_HASH_CODE, "Kiuwan SCA Scan": DEDUPE_ALGO_HASH_CODE, "Rapplex Scan": DEDUPE_ALGO_HASH_CODE, - "Wizcli Img Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, - "Wizcli Dir Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, - "Wizcli IAC Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, + "Wizcli Img Scan": DEDUPE_ALGO_HASH_CODE, + "Wizcli Dir Scan": DEDUPE_ALGO_HASH_CODE, + "Wizcli IAC Scan": DEDUPE_ALGO_HASH_CODE, "AppCheck Web Application Scanner": DEDUPE_ALGO_HASH_CODE, "AWS Inspector2 Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, "Legitify Scan": DEDUPE_ALGO_HASH_CODE, From b5ea4663e1f02f3f906af82f76f5da8f55f9d6e6 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Mon, 2 Jun 2025 17:10:38 +0500 Subject: [PATCH 10/27] fixed ruff --- unittests/tools/test_wizcli_dir_parser.py | 4 ++-- unittests/tools/test_wizcli_iac_parser.py | 4 ++-- unittests/tools/test_wizcli_img_parser.py | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/unittests/tools/test_wizcli_dir_parser.py b/unittests/tools/test_wizcli_dir_parser.py index d79880d698b..c8a59200236 100644 --- a/unittests/tools/test_wizcli_dir_parser.py +++ b/unittests/tools/test_wizcli_dir_parser.py @@ -43,7 +43,7 @@ def test_multiple_findings(self): parser = WizcliDirParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(7, len(findings)) - + # Test first finding finding = findings[0] self.assertEqual("github.com/golang-jwt/jwt/v4 4.5.1 - CVE-2025-30204", finding.title) @@ -61,7 +61,7 @@ def test_multiple_findings(self): ) self.assertEqual("CVE-2025-30204", finding.cve) self.assertEqual("https://github.com/advisories/GHSA-mh63-6h87-95cp", finding.references) - + # Test second finding finding = findings[1] self.assertEqual("github.com/golang-jwt/jwt/v5 5.2.1 - CVE-2025-30204", finding.title) diff --git a/unittests/tools/test_wizcli_iac_parser.py b/unittests/tools/test_wizcli_iac_parser.py index d988e72dc99..fd2236bea50 100644 --- a/unittests/tools/test_wizcli_iac_parser.py +++ b/unittests/tools/test_wizcli_iac_parser.py @@ -29,7 +29,7 @@ def test_one_findings(self): "**Resource**: `google_storage_bucket[elastic-snapshots]`\n" "**File**: `states/dev/storage.tf`\n" "**Line**: 1\n" - "**Code Snippet**: ```\nresource \"google_storage_bucket\" \"elastic-snapshots\" {\n```\n" + '**Code Snippet**: ```\nresource "google_storage_bucket" "elastic-snapshots" {\n```\n' "\n**Finding Details**:\n" "- **Expected**: 'logging' should be set\n" "- **Found**: 'logging' is undefined\n" @@ -46,7 +46,7 @@ def test_multiple_findings(self): parser = WizcliIaCParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(25, len(findings)) - + # Test first finding finding = findings[0] self.assertEqual( diff --git a/unittests/tools/test_wizcli_img_parser.py b/unittests/tools/test_wizcli_img_parser.py index 019bf5d8591..b06105950a4 100644 --- a/unittests/tools/test_wizcli_img_parser.py +++ b/unittests/tools/test_wizcli_img_parser.py @@ -39,7 +39,7 @@ def test_multiple_findings(self): parser = WizcliImgParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(9, len(findings)) - + # Test first finding finding = findings[0] self.assertEqual("OS Pkg: libcrypto3 3.3.1-r0 - CVE-2024-5535", finding.title) @@ -59,7 +59,7 @@ def test_multiple_findings(self): self.assertTrue(finding.static_finding) self.assertFalse(finding.dynamic_finding) self.assertTrue(finding.active) - + # Test second finding finding = findings[1] self.assertEqual("OS Pkg: libssl3 3.3.1-r0 - CVE-2024-5535", finding.title) From dfb95f6b8ad1910dd76db15232084fe0491f6ac0 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Mon, 2 Jun 2025 17:27:27 +0500 Subject: [PATCH 11/27] fixed unitests --- unittests/tools/test_wizcli_dir_parser.py | 4 ++-- unittests/tools/test_wizcli_iac_parser.py | 10 +++++----- unittests/tools/test_wizcli_img_parser.py | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/unittests/tools/test_wizcli_dir_parser.py b/unittests/tools/test_wizcli_dir_parser.py index c8a59200236..2f3094abdd2 100644 --- a/unittests/tools/test_wizcli_dir_parser.py +++ b/unittests/tools/test_wizcli_dir_parser.py @@ -42,8 +42,8 @@ def test_multiple_findings(self): with (get_unit_tests_scans_path("wizcli_dir") / "wizcli_dir_many_vul.json").open(encoding="utf-8") as testfile: parser = WizcliDirParser() findings = parser.get_findings(testfile, Test()) - self.assertEqual(7, len(findings)) - + self.assertEqual(204, len(findings)) + # Test first finding finding = findings[0] self.assertEqual("github.com/golang-jwt/jwt/v4 4.5.1 - CVE-2025-30204", finding.title) diff --git a/unittests/tools/test_wizcli_iac_parser.py b/unittests/tools/test_wizcli_iac_parser.py index fd2236bea50..644c4dc791e 100644 --- a/unittests/tools/test_wizcli_iac_parser.py +++ b/unittests/tools/test_wizcli_iac_parser.py @@ -1,18 +1,18 @@ from dojo.models import Test -from dojo.tools.wizcli_iac.parser import WizcliIaCParser +from dojo.tools.wizcli_iac.parser import WizcliIacParser from unittests.dojo_test_case import DojoTestCase, get_unit_tests_scans_path -class TestWizcliIaCParser(DojoTestCase): +class TestWizcliIacParser(DojoTestCase): def test_no_findings(self): with (get_unit_tests_scans_path("wizcli_iac") / "wizcli_iac_zero_vul.json").open(encoding="utf-8") as testfile: - parser = WizcliIaCParser() + parser = WizcliIacParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(len(findings), 0) def test_one_findings(self): with (get_unit_tests_scans_path("wizcli_iac") / "wizcli_iac_one_vul.json").open(encoding="utf-8") as testfile: - parser = WizcliIaCParser() + parser = WizcliIacParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(1, len(findings)) finding = findings[0] @@ -43,7 +43,7 @@ def test_one_findings(self): def test_multiple_findings(self): with (get_unit_tests_scans_path("wizcli_iac") / "wizcli_iac_many_vul.json").open(encoding="utf-8") as testfile: - parser = WizcliIaCParser() + parser = WizcliIacParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(25, len(findings)) diff --git a/unittests/tools/test_wizcli_img_parser.py b/unittests/tools/test_wizcli_img_parser.py index b06105950a4..3459ff199cf 100644 --- a/unittests/tools/test_wizcli_img_parser.py +++ b/unittests/tools/test_wizcli_img_parser.py @@ -38,8 +38,8 @@ def test_multiple_findings(self): with (get_unit_tests_scans_path("wizcli_img") / "wizcli_img_many_vul.json").open(encoding="utf-8") as testfile: parser = WizcliImgParser() findings = parser.get_findings(testfile, Test()) - self.assertEqual(9, len(findings)) - + self.assertEqual(29, len(findings)) + # Test first finding finding = findings[0] self.assertEqual("OS Pkg: libcrypto3 3.3.1-r0 - CVE-2024-5535", finding.title) From 8576a5fe4224783b69ed9f44cf991d1db3ec4724 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Mon, 2 Jun 2025 17:28:57 +0500 Subject: [PATCH 12/27] fixed ruff --- unittests/tools/test_wizcli_dir_parser.py | 2 +- unittests/tools/test_wizcli_img_parser.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unittests/tools/test_wizcli_dir_parser.py b/unittests/tools/test_wizcli_dir_parser.py index 2f3094abdd2..9a45a8b09fa 100644 --- a/unittests/tools/test_wizcli_dir_parser.py +++ b/unittests/tools/test_wizcli_dir_parser.py @@ -43,7 +43,7 @@ def test_multiple_findings(self): parser = WizcliDirParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(204, len(findings)) - + # Test first finding finding = findings[0] self.assertEqual("github.com/golang-jwt/jwt/v4 4.5.1 - CVE-2025-30204", finding.title) diff --git a/unittests/tools/test_wizcli_img_parser.py b/unittests/tools/test_wizcli_img_parser.py index 3459ff199cf..7e5356950ec 100644 --- a/unittests/tools/test_wizcli_img_parser.py +++ b/unittests/tools/test_wizcli_img_parser.py @@ -39,7 +39,7 @@ def test_multiple_findings(self): parser = WizcliImgParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(29, len(findings)) - + # Test first finding finding = findings[0] self.assertEqual("OS Pkg: libcrypto3 3.3.1-r0 - CVE-2024-5535", finding.title) From 59fa30ddaf1b443d1b5a98c749113de9e8995c79 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Mon, 2 Jun 2025 17:45:23 +0500 Subject: [PATCH 13/27] Fixed unit test and ruff issues --- unittests/tools/test_wizcli_iac_parser.py | 4 ++-- unittests/tools/test_wizcli_img_parser.py | 19 +++++++++---------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/unittests/tools/test_wizcli_iac_parser.py b/unittests/tools/test_wizcli_iac_parser.py index 644c4dc791e..85ca4b18c84 100644 --- a/unittests/tools/test_wizcli_iac_parser.py +++ b/unittests/tools/test_wizcli_iac_parser.py @@ -14,7 +14,7 @@ def test_one_findings(self): with (get_unit_tests_scans_path("wizcli_iac") / "wizcli_iac_one_vul.json").open(encoding="utf-8") as testfile: parser = WizcliIacParser() findings = parser.get_findings(testfile, Test()) - self.assertEqual(1, len(findings)) + self.assertEqual(61, len(findings)) finding = findings[0] self.assertEqual( "Bucket usage logs should be enabled - google_storage_bucket[elastic-snapshots]", @@ -45,7 +45,7 @@ def test_multiple_findings(self): with (get_unit_tests_scans_path("wizcli_iac") / "wizcli_iac_many_vul.json").open(encoding="utf-8") as testfile: parser = WizcliIacParser() findings = parser.get_findings(testfile, Test()) - self.assertEqual(25, len(findings)) + self.assertEqual(478, len(findings)) # Test first finding finding = findings[0] diff --git a/unittests/tools/test_wizcli_img_parser.py b/unittests/tools/test_wizcli_img_parser.py index 7e5356950ec..8059b828bf7 100644 --- a/unittests/tools/test_wizcli_img_parser.py +++ b/unittests/tools/test_wizcli_img_parser.py @@ -42,20 +42,19 @@ def test_multiple_findings(self): # Test first finding finding = findings[0] - self.assertEqual("OS Pkg: libcrypto3 3.3.1-r0 - CVE-2024-5535", finding.title) - self.assertEqual("Low", finding.severity) + self.assertEqual("OS Pkg: curl 7.64.0-r5 - CVE-2023-38039", finding.title) + self.assertEqual("Medium", finding.severity) self.assertIsNone(finding.file_path) self.assertIn( - "**Vulnerability**: `CVE-2024-5535`\n" - "**Severity**: Low\n" - "**OS Package**: `libcrypto3`\n" - "**Version**: `3.3.1-r0`\n" - "**Fixed Version**: 3.3.1-r1\n" - "**Source**: https://security.alpinelinux.org/vuln/CVE-2024-5535", + "**Vulnerability**: `CVE-2023-38039`\n" + "**Severity**: Medium\n" + "**OS Package**: `curl`\n" + "**Version**: `7.64.0-r5`\n" + "**Source**: https://security.alpinelinux.org/vuln/CVE-2023-38039", finding.description, ) - self.assertEqual("CVE-2024-5535", finding.cve) - self.assertEqual("https://security.alpinelinux.org/vuln/CVE-2024-5535", finding.references) + self.assertEqual("CVE-2023-38039", finding.cve) + self.assertEqual("https://security.alpinelinux.org/vuln/CVE-2023-38039", finding.references) self.assertTrue(finding.static_finding) self.assertFalse(finding.dynamic_finding) self.assertTrue(finding.active) From 395fff42b2ffbd1851b9e370937d4bc35a2f12bf Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Mon, 2 Jun 2025 20:22:51 +0500 Subject: [PATCH 14/27] fix to assertions --- unittests/tools/test_wizcli_iac_parser.py | 28 +++++++++++------------ unittests/tools/test_wizcli_img_parser.py | 9 +++++++- 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/unittests/tools/test_wizcli_iac_parser.py b/unittests/tools/test_wizcli_iac_parser.py index 85ca4b18c84..33ffb28b277 100644 --- a/unittests/tools/test_wizcli_iac_parser.py +++ b/unittests/tools/test_wizcli_iac_parser.py @@ -50,29 +50,29 @@ def test_multiple_findings(self): # Test first finding finding = findings[0] self.assertEqual( - "Apk Add Using Local Cache Path - FROM={{registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest as builder}}.{{RUN apk add --update make git musl-dev gcc}}", + "Bucket usage logs should be enabled - google_storage_bucket[elastic-snapshots]", finding.title, ) - self.assertEqual("Info", finding.severity) - self.assertEqual("Dockerfile", finding.file_path) - self.assertEqual(8, finding.line) + self.assertEqual("Low", finding.severity) + self.assertEqual("states/dev/storage.tf", finding.file_path) + self.assertEqual(1, finding.line) self.assertIn( - "**Rule**: Apk Add Using Local Cache Path (ID: `4ac84116-456f-4d60-9e12-187607266faf`)\n" - "**Severity**: Info\n" - "**Resource**: `FROM={{registry.gitlab.com/evilorg.com/infra/images/go-lang-1.18-alpine3.17:latest as builder}}.{{RUN apk add --update make git musl-dev gcc}}`\n" - "**File**: `Dockerfile`\n" - "**Line**: 8\n" - "**Code Snippet**: ```\nRUN apk add --update make git musl-dev gcc\n```\n" + "**Rule**: Bucket usage logs should be enabled (ID: `bd9e69dd-93a1-4122-900a-992135c62572`)\n" + "**Severity**: Low\n" + "**Resource**: `google_storage_bucket[elastic-snapshots]`\n" + "**File**: `states/dev/storage.tf`\n" + "**Line**: 1\n" + '**Code Snippet**: ```\nresource "google_storage_bucket" "elastic-snapshots" {\n```\n' "\n**Finding Details**:\n" - "- **Expected**: 'RUN' should not contain 'apk add' command without '--no-cache' switch\n" - "- **Found**: 'RUN' contains 'apk add' command without '--no-cache' switch\n" - "- **File Type**: DOCKERFILE", + "- **Expected**: 'logging' should be set\n" + "- **Found**: 'logging' is undefined\n" + "- **File Type**: TERRAFORM", finding.description, ) self.assertTrue(finding.static_finding) self.assertFalse(finding.dynamic_finding) self.assertTrue(finding.active) - self.assertEqual("4ac84116-456f-4d60-9e12-187607266faf", finding.vuln_id_from_tool) + self.assertEqual("bd9e69dd-93a1-4122-900a-992135c62572", finding.vuln_id_from_tool) # Test second finding finding = findings[1] diff --git a/unittests/tools/test_wizcli_img_parser.py b/unittests/tools/test_wizcli_img_parser.py index 8059b828bf7..e58f76645ce 100644 --- a/unittests/tools/test_wizcli_img_parser.py +++ b/unittests/tools/test_wizcli_img_parser.py @@ -50,7 +50,14 @@ def test_multiple_findings(self): "**Severity**: Medium\n" "**OS Package**: `curl`\n" "**Version**: `7.64.0-r5`\n" - "**Source**: https://security.alpinelinux.org/vuln/CVE-2023-38039", + "**Fixed Version**: N/A\n" + "**Source**: https://security.alpinelinux.org/vuln/CVE-2023-38039\n" + "**CVSS Score (from Wiz)**: 7.5\n" + "**Has Exploit (Known)**: True\n" + "**In CISA KEV**: False\n\n" + "**Ignored Policies**:\n" + "- test Default vulnerabilities policy (ID: 9c6726d0-1ada-4541-b6d6-3da5ca1124f9)\n" + "- test Default vulnerabilities policy ( Updated ) (ID: 9bf73b16-99e7-4a54-af1e-dcfa1436a8f2)", finding.description, ) self.assertEqual("CVE-2023-38039", finding.cve) From d78b537befdf53deccfcc90baaaea5dd6e71af91 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Mon, 2 Jun 2025 20:48:42 +0500 Subject: [PATCH 15/27] fixed remaining assertions --- unittests/tools/test_wizcli_iac_parser.py | 22 ++++++++++----------- unittests/tools/test_wizcli_img_parser.py | 24 ++++++++++++++--------- 2 files changed, 26 insertions(+), 20 deletions(-) diff --git a/unittests/tools/test_wizcli_iac_parser.py b/unittests/tools/test_wizcli_iac_parser.py index 33ffb28b277..d3482bbef9e 100644 --- a/unittests/tools/test_wizcli_iac_parser.py +++ b/unittests/tools/test_wizcli_iac_parser.py @@ -77,22 +77,22 @@ def test_multiple_findings(self): # Test second finding finding = findings[1] self.assertEqual( - "Healthcheck Instruction Missing - FROM={{registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest}}", + "Bucket usage logs should be enabled - google_storage_bucket[vault-store]", finding.title, ) self.assertEqual("Low", finding.severity) - self.assertEqual("Dockerfile", finding.file_path) - self.assertEqual(58, finding.line) + self.assertEqual("states/dev/storage.tf", finding.file_path) + self.assertEqual(17, finding.line) self.assertIn( - "**Rule**: Healthcheck Instruction Missing (ID: `ab1043e3-1eeb-4e38-9ca9-7ec0e99fe2ba`)\n" + "**Rule**: Bucket usage logs should be enabled (ID: `bd9e69dd-93a1-4122-900a-992135c62572`)\n" "**Severity**: Low\n" - "**Resource**: `FROM={{registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest}}`\n" - "**File**: `Dockerfile`\n" - "**Line**: 58\n" - "**Code Snippet**: ```\nFROM registry.gitlab.com/evilorg.com/infra/images/alpine-3.9:latest\n```\n" + "**Resource**: `google_storage_bucket[vault-store]`\n" + "**File**: `states/dev/storage.tf`\n" + "**Line**: 17\n" + '**Code Snippet**: ```\nresource "google_storage_bucket" "vault-store" {\n```\n' "\n**Finding Details**:\n" - "- **Expected**: Dockerfile should contain instruction 'HEALTHCHECK'\n" - "- **Found**: Dockerfile doesn't contain instruction 'HEALTHCHECK'\n" - "- **File Type**: DOCKERFILE", + "- **Expected**: 'logging' should be set\n" + "- **Found**: 'logging' is undefined\n" + "- **File Type**: TERRAFORM", finding.description, ) diff --git a/unittests/tools/test_wizcli_img_parser.py b/unittests/tools/test_wizcli_img_parser.py index e58f76645ce..b3fd8559d91 100644 --- a/unittests/tools/test_wizcli_img_parser.py +++ b/unittests/tools/test_wizcli_img_parser.py @@ -68,19 +68,25 @@ def test_multiple_findings(self): # Test second finding finding = findings[1] - self.assertEqual("OS Pkg: libssl3 3.3.1-r0 - CVE-2024-5535", finding.title) - self.assertEqual("Low", finding.severity) + self.assertEqual("OS Pkg: curl 7.64.0-r5 - CVE-2023-38039", finding.title) + self.assertEqual("Medium", finding.severity) self.assertIsNone(finding.file_path) self.assertIn( - "**Vulnerability**: `CVE-2024-5535`\n" - "**Severity**: Low\n" - "**OS Package**: `libssl3`\n" - "**Version**: `3.3.1-r0`\n" - "**Fixed Version**: 3.3.1-r1\n" - "**Source**: https://security.alpinelinux.org/vuln/CVE-2024-5535", + "**Vulnerability**: `CVE-2023-38039`\n" + "**Severity**: Medium\n" + "**OS Package**: `curl`\n" + "**Version**: `7.64.0-r5`\n" + "**Fixed Version**: N/A\n" + "**Source**: https://security.alpinelinux.org/vuln/CVE-2023-38039\n" + "**CVSS Score (from Wiz)**: 7.5\n" + "**Has Exploit (Known)**: True\n" + "**In CISA KEV**: False\n\n" + "**Ignored Policies**:\n" + "- test Default vulnerabilities policy (ID: 9c6726d0-1ada-4541-b6d6-3da5ca1124f9)\n" + "- test Default vulnerabilities policy ( Updated ) (ID: 9bf73b16-99e7-4a54-af1e-dcfa1436a8f2)", finding.description, ) - self.assertEqual("CVE-2024-5535", finding.cve) + self.assertEqual("CVE-2023-38039", finding.cve) self.assertTrue(finding.static_finding) self.assertFalse(finding.dynamic_finding) self.assertTrue(finding.active) From 6a21f00c76703afca032e0ffd380cdd91b85cd9f Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Tue, 3 Jun 2025 00:11:52 +0500 Subject: [PATCH 16/27] fixes --- unittests/tools/test_wizcli_img_parser.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/unittests/tools/test_wizcli_img_parser.py b/unittests/tools/test_wizcli_img_parser.py index b3fd8559d91..d4f1ac41a97 100644 --- a/unittests/tools/test_wizcli_img_parser.py +++ b/unittests/tools/test_wizcli_img_parser.py @@ -68,25 +68,25 @@ def test_multiple_findings(self): # Test second finding finding = findings[1] - self.assertEqual("OS Pkg: curl 7.64.0-r5 - CVE-2023-38039", finding.title) - self.assertEqual("Medium", finding.severity) + self.assertEqual("OS Pkg: curl 7.64.0-r5 - CVE-2020-8231", finding.title) + self.assertEqual("High", finding.severity) self.assertIsNone(finding.file_path) self.assertIn( - "**Vulnerability**: `CVE-2023-38039`\n" - "**Severity**: Medium\n" + "**Vulnerability**: `CVE-2020-8231`\n" + "**Severity**: High\n" "**OS Package**: `curl`\n" "**Version**: `7.64.0-r5`\n" - "**Fixed Version**: N/A\n" - "**Source**: https://security.alpinelinux.org/vuln/CVE-2023-38039\n" + "**Fixed Version**: 7.66.0-r5\n" + "**Source**: https://security.alpinelinux.org/vuln/CVE-2020-8231\n" "**CVSS Score (from Wiz)**: 7.5\n" - "**Has Exploit (Known)**: True\n" + "**Has Exploit (Known)**: False\n" "**In CISA KEV**: False\n\n" "**Ignored Policies**:\n" "- test Default vulnerabilities policy (ID: 9c6726d0-1ada-4541-b6d6-3da5ca1124f9)\n" "- test Default vulnerabilities policy ( Updated ) (ID: 9bf73b16-99e7-4a54-af1e-dcfa1436a8f2)", finding.description, ) - self.assertEqual("CVE-2023-38039", finding.cve) + self.assertEqual("CVE-2020-8231", finding.cve) self.assertTrue(finding.static_finding) self.assertFalse(finding.dynamic_finding) self.assertTrue(finding.active) From a804dcc2496bc5b2e7a663fc8404b5879d7dd8f7 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Tue, 3 Jun 2025 01:38:20 +0500 Subject: [PATCH 17/27] updates --- unittests/tools/test_wizcli_img_parser.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/unittests/tools/test_wizcli_img_parser.py b/unittests/tools/test_wizcli_img_parser.py index d4f1ac41a97..cffdca593e8 100644 --- a/unittests/tools/test_wizcli_img_parser.py +++ b/unittests/tools/test_wizcli_img_parser.py @@ -55,7 +55,7 @@ def test_multiple_findings(self): "**CVSS Score (from Wiz)**: 7.5\n" "**Has Exploit (Known)**: True\n" "**In CISA KEV**: False\n\n" - "**Ignored Policies**:\n" + "**Failed Policies**:\n" "- test Default vulnerabilities policy (ID: 9c6726d0-1ada-4541-b6d6-3da5ca1124f9)\n" "- test Default vulnerabilities policy ( Updated ) (ID: 9bf73b16-99e7-4a54-af1e-dcfa1436a8f2)", finding.description, @@ -81,9 +81,9 @@ def test_multiple_findings(self): "**CVSS Score (from Wiz)**: 7.5\n" "**Has Exploit (Known)**: False\n" "**In CISA KEV**: False\n\n" - "**Ignored Policies**:\n" - "- test Default vulnerabilities policy (ID: 9c6726d0-1ada-4541-b6d6-3da5ca1124f9)\n" - "- test Default vulnerabilities policy ( Updated ) (ID: 9bf73b16-99e7-4a54-af1e-dcfa1436a8f2)", + "**Failed Policies**:\n" + "- test Default vulnerabilities policy ( Updated ) (ID: 9bf73b16-99e7-4a54-af1e-dcfa1436a8f2)\n" + "- test Default vulnerabilities policy (ID: 9c6726d0-1ada-4541-b6d6-3da5ca1124f9)", finding.description, ) self.assertEqual("CVE-2020-8231", finding.cve) From ae1cd2a4063272a645914d1531f7c7502a2294b0 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Tue, 3 Jun 2025 02:39:48 +0500 Subject: [PATCH 18/27] fixed img test --- unittests/tools/test_wizcli_img_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_wizcli_img_parser.py b/unittests/tools/test_wizcli_img_parser.py index cffdca593e8..3186a6a99da 100644 --- a/unittests/tools/test_wizcli_img_parser.py +++ b/unittests/tools/test_wizcli_img_parser.py @@ -55,7 +55,7 @@ def test_multiple_findings(self): "**CVSS Score (from Wiz)**: 7.5\n" "**Has Exploit (Known)**: True\n" "**In CISA KEV**: False\n\n" - "**Failed Policies**:\n" + "**Ignored Policies**:\n" "- test Default vulnerabilities policy (ID: 9c6726d0-1ada-4541-b6d6-3da5ca1124f9)\n" "- test Default vulnerabilities policy ( Updated ) (ID: 9bf73b16-99e7-4a54-af1e-dcfa1436a8f2)", finding.description, From 3d42de858322a821610385452781dca195ed0e79 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 9 Jun 2025 14:35:48 +0000 Subject: [PATCH 19/27] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index e138a5fa63c..f0b452091e8 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.48.0-dev", + "version": "2.47.1", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 7fe98bc9de6..648e42df9db 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.47.0" +__version__ = "2.47.1" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index ed714def5b0..93cbe06eaea 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.48.0-dev" +appVersion: "2.47.1" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.191-dev +version: 1.6.191 icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 7ed4298042aacbb434cf09bae661ed5403b7f658 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Thu, 12 Jun 2025 17:43:29 +0500 Subject: [PATCH 20/27] added HASHCODE_FIELDS_PER_SCANNER entries for these parser --- dojo/settings/settings.dist.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 6b0233f804d..a358b1fbc25 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1345,7 +1345,9 @@ def saml2_attrib_map_format(din): "Red Hat Satellite": ["description", "severity"], "Qualys Hacker Guardian Scan": ["title", "severity", "description"], "Cyberwatch scan (Galeax)": ["title", "description", "severity"], -} + "Wizcli Img Scan": ["title", "description", "file_path", "line", "component_name", "component_version"] + "Wizcli Dir Scan": ["title", "description", "file_path", "line", "component_name", "component_version"] + "Wizcli IAC Scan": ["title", "description", "file_path", "line", "component_name"] # Override the hardcoded settings here via the env var if len(env("DD_HASHCODE_FIELDS_PER_SCANNER")) > 0: From f9c7365d056f9bd6eacd00c52afcd1b54dc8c0d6 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Thu, 12 Jun 2025 17:43:50 +0500 Subject: [PATCH 21/27] removed unique id generation and use --- dojo/tools/wizcli_common_parsers/parsers.py | 51 ++------------------- 1 file changed, 3 insertions(+), 48 deletions(-) diff --git a/dojo/tools/wizcli_common_parsers/parsers.py b/dojo/tools/wizcli_common_parsers/parsers.py index e20c7a9dec3..0dca79e6218 100644 --- a/dojo/tools/wizcli_common_parsers/parsers.py +++ b/dojo/tools/wizcli_common_parsers/parsers.py @@ -1,4 +1,3 @@ -import hashlib import logging import re @@ -36,31 +35,9 @@ def extract_reference_link(text): match = re.search(r"(https?://[^\s)]+)", text) return match.group(1) if match else None - @staticmethod - def _generate_unique_id(components: list) -> str: - """ - Generates a stable unique ID for findings. - - Args: - components: List of components to use for ID generation - - """ - # Filter out None and empty values - filtered_components = [str(c).strip() for c in components if c is not None and str(c).strip()] - - # Sort components for consistent order regardless of input order - filtered_components = sorted(filtered_components) - - id_string = "|".join(filtered_components) - hash_object = hashlib.sha256(id_string.encode("utf-8")) - return hash_object.hexdigest() - @staticmethod def parse_libraries(libraries_data, test): - """ - Parses library vulnerability data into granular DefectDojo findings. - Creates one finding per unique vulnerability (CVE/ID) per library instance (name/version/path). - """ + """Parses library vulnerability data into granular DefectDojo findings.""" findings_list = [] if not libraries_data: return findings_list @@ -132,11 +109,6 @@ def parse_libraries(libraries_data, test): full_description = "\n".join(description_parts) references = source_url if source_url != "N/A" else None - # Generate unique ID using stable components including file path - unique_id = WizcliParsers._generate_unique_id( - [lib_name, lib_version, vuln_name, lib_path], - ) - finding = Finding( test=test, title=title, @@ -149,7 +121,6 @@ def parse_libraries(libraries_data, test): component_version=lib_version, static_finding=True, dynamic_finding=False, - unique_id_from_tool=unique_id, vuln_id_from_tool=vuln_name, references=references, active=True, # Always set as active since we don't have status from Wiz @@ -212,11 +183,6 @@ def parse_secrets(secrets_data, test): full_description = "\n".join(description_parts) mitigation = "Rotate the exposed secret immediately. Remove the secret from the specified file path and line. Store secrets securely using a secrets management solution. Review commit history." - # Generate unique ID using stable components - unique_id = WizcliParsers._generate_unique_id( - [secret_type, file_path, str(line_number) if line_number is not None else "0"], - ) - finding = Finding( test=test, title=title, @@ -227,7 +193,6 @@ def parse_secrets(secrets_data, test): line=line_number if line_number is not None else 0, static_finding=True, dynamic_finding=False, - unique_id_from_tool=unique_id, active=True, # Always set as active since we don't have status from Wiz ) findings_list.append(finding) @@ -293,11 +258,6 @@ def parse_os_packages(os_packages_data, test): full_description = "\n".join(description_parts) references = source_url if source_url != "N/A" else None - # Generate unique ID using stable components - unique_id = WizcliParsers._generate_unique_id( - [pkg_name, pkg_version, vuln_name], - ) - finding = Finding( test=test, title=title, @@ -306,7 +266,8 @@ def parse_os_packages(os_packages_data, test): mitigation=mitigation, static_finding=True, dynamic_finding=False, - unique_id_from_tool=unique_id, + component_name=pkg_name, + component_version=pkg_version, vuln_id_from_tool=vuln_name, references=references, active=True, # Always set as active since we don't have status from Wiz @@ -408,11 +369,6 @@ def parse_rule_matches(rule_matches_data, test): full_description = "\n".join(description_parts) - # Generate unique ID using stable components for IAC - unique_id = WizcliParsers._generate_unique_id( - [rule_id, resource_name, file_name, str(line_number) if line_number is not None else "0"], # Only use rule ID and resource name for deduplication - ) - finding = Finding( test=test, title=title, @@ -424,7 +380,6 @@ def parse_rule_matches(rule_matches_data, test): component_name=resource_name, # Use resource name as component static_finding=True, dynamic_finding=False, - unique_id_from_tool=unique_id, vuln_id_from_tool=rule_id, # Use rule ID as the identifier references=references, active=True, # Always set as active since we don't have status from Wiz From 16812ad497ebbb049b2017418c1c8f45d83064b2 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Thu, 12 Jun 2025 17:55:31 +0500 Subject: [PATCH 22/27] fixed ruff errors --- dojo/settings/settings.dist.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index a358b1fbc25..d92d18aac79 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1345,9 +1345,10 @@ def saml2_attrib_map_format(din): "Red Hat Satellite": ["description", "severity"], "Qualys Hacker Guardian Scan": ["title", "severity", "description"], "Cyberwatch scan (Galeax)": ["title", "description", "severity"], - "Wizcli Img Scan": ["title", "description", "file_path", "line", "component_name", "component_version"] - "Wizcli Dir Scan": ["title", "description", "file_path", "line", "component_name", "component_version"] - "Wizcli IAC Scan": ["title", "description", "file_path", "line", "component_name"] + "Wizcli Img Scan": ["title", "description", "file_path", "line", "component_name", "component_version"], + "Wizcli Dir Scan": ["title", "description", "file_path", "line", "component_name", "component_version"], + "Wizcli IAC Scan": ["title", "description", "file_path", "line", "component_name"], +} # Override the hardcoded settings here via the env var if len(env("DD_HASHCODE_FIELDS_PER_SCANNER")) > 0: From 8dd415ea918f311edec80e19b68628617ed9342d Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Fri, 13 Jun 2025 17:12:05 +0500 Subject: [PATCH 23/27] updated hashcode logic for wizcli scans --- dojo/settings/settings.dist.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index d92d18aac79..cb75635ce12 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1345,9 +1345,9 @@ def saml2_attrib_map_format(din): "Red Hat Satellite": ["description", "severity"], "Qualys Hacker Guardian Scan": ["title", "severity", "description"], "Cyberwatch scan (Galeax)": ["title", "description", "severity"], - "Wizcli Img Scan": ["title", "description", "file_path", "line", "component_name", "component_version"], - "Wizcli Dir Scan": ["title", "description", "file_path", "line", "component_name", "component_version"], - "Wizcli IAC Scan": ["title", "description", "file_path", "line", "component_name"], + "Wizcli Img Scan": ["title", "file_path", "line", "component_name", "component_version"], + "Wizcli Dir Scan": ["title", "file_path", "line", "component_name", "component_version"], + "Wizcli IAC Scan": ["title", "file_path", "line", "component_name"], } # Override the hardcoded settings here via the env var From 1253ef100f3e8ac8490b74a75db053b4df3e27f7 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Fri, 13 Jun 2025 17:54:21 +0500 Subject: [PATCH 24/27] type in wizcli iac parser name --- dojo/settings/settings.dist.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index cb75635ce12..3a9b14c5423 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1347,7 +1347,7 @@ def saml2_attrib_map_format(din): "Cyberwatch scan (Galeax)": ["title", "description", "severity"], "Wizcli Img Scan": ["title", "file_path", "line", "component_name", "component_version"], "Wizcli Dir Scan": ["title", "file_path", "line", "component_name", "component_version"], - "Wizcli IAC Scan": ["title", "file_path", "line", "component_name"], + "Wizcli IaC Scan": ["title", "file_path", "line", "component_name"], } # Override the hardcoded settings here via the env var @@ -1595,7 +1595,7 @@ def saml2_attrib_map_format(din): "Rapplex Scan": DEDUPE_ALGO_HASH_CODE, "Wizcli Img Scan": DEDUPE_ALGO_HASH_CODE, "Wizcli Dir Scan": DEDUPE_ALGO_HASH_CODE, - "Wizcli IAC Scan": DEDUPE_ALGO_HASH_CODE, + "Wizcli IaC Scan": DEDUPE_ALGO_HASH_CODE, "AppCheck Web Application Scanner": DEDUPE_ALGO_HASH_CODE, "AWS Inspector2 Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, "Legitify Scan": DEDUPE_ALGO_HASH_CODE, From 8fcb8de9b4201a3e59f02d7cffa837e092c242bf Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Fri, 13 Jun 2025 17:54:29 +0500 Subject: [PATCH 25/27] added relase notes --- docs/content/en/open_source/upgrading/2.47.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/content/en/open_source/upgrading/2.47.md b/docs/content/en/open_source/upgrading/2.47.md index 02d00a70d13..c13f8e6788a 100644 --- a/docs/content/en/open_source/upgrading/2.47.md +++ b/docs/content/en/open_source/upgrading/2.47.md @@ -12,4 +12,15 @@ There are no special instructions for upgrading to 2.47.x. Check the [Release No ## Removal of Asynchronous Import -Please note that asynchronous import has been removed as it was announced in 2.46. If you haven't migrated from this feature yet, we recommend doing before upgrading to 2.47.0 \ No newline at end of file +Please note that asynchronous import has been removed as it was announced in 2.46. If you haven't migrated from this feature yet, we recommend doing before upgrading to 2.47.0 + +## Wizcli Parsers Hashcode Changes +**Hash Code changes** Wizcli parsers have been updated to populate more fields in release 2.47.3. Some of these fields are part of the hash code calculation. To recalculate the hash code please execute the following command: + +```bash +docker compose exec uwsgi /bin/bash -c "python manage.py dedupe --parser 'Wizcli Img Scan' --hash_code_only" +docker compose exec uwsgi /bin/bash -c "python manage.py dedupe --parser 'Wizcli Dir Scan' --hash_code_only" +docker compose exec uwsgi /bin/bash -c "python manage.py dedupe --parser 'Wizcli IaC Scan' --hash_code_only" +``` + +This command has various command line arguments to tweak its behaviour, for example to trigger a run of the deduplication process. See dedupe.py for more information. From 40ad1dd08146f2869af7f17bbeb859bf81288b21 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Sat, 14 Jun 2025 16:04:28 +0500 Subject: [PATCH 26/27] rephrased to make it clrear to understand --- docs/content/en/open_source/upgrading/2.47.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/open_source/upgrading/2.47.md b/docs/content/en/open_source/upgrading/2.47.md index c13f8e6788a..287bdfb0158 100644 --- a/docs/content/en/open_source/upgrading/2.47.md +++ b/docs/content/en/open_source/upgrading/2.47.md @@ -15,7 +15,7 @@ There are no special instructions for upgrading to 2.47.x. Check the [Release No Please note that asynchronous import has been removed as it was announced in 2.46. If you haven't migrated from this feature yet, we recommend doing before upgrading to 2.47.0 ## Wizcli Parsers Hashcode Changes -**Hash Code changes** Wizcli parsers have been updated to populate more fields in release 2.47.3. Some of these fields are part of the hash code calculation. To recalculate the hash code please execute the following command: +**Hash Code changes** Wizcli parsers have been updated to populate more fields. Some of these fields are part of the hash code calculation. To recalculate the hash code please execute the commands below. Please note that due to the changes in the parser deduplication might not always happen against findings that were already present in Defect Dojo. ```bash docker compose exec uwsgi /bin/bash -c "python manage.py dedupe --parser 'Wizcli Img Scan' --hash_code_only" From 715d0985d368ade29a688e5315b94c4c374ee1e7 Mon Sep 17 00:00:00 2001 From: Osama Mahmood Date: Tue, 17 Jun 2025 15:55:28 +0500 Subject: [PATCH 27/27] added fallback value if fixedVersion not found --- dojo/tools/wizcli_common_parsers/parsers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/tools/wizcli_common_parsers/parsers.py b/dojo/tools/wizcli_common_parsers/parsers.py index 0dca79e6218..564c16d6f75 100644 --- a/dojo/tools/wizcli_common_parsers/parsers.py +++ b/dojo/tools/wizcli_common_parsers/parsers.py @@ -56,7 +56,7 @@ def parse_libraries(libraries_data, test): vuln_name = vuln_data.get("name", "N/A") severity_str = vuln_data.get("severity") severity = WizcliParsers.get_severity(severity_str) - fixed_version = vuln_data.get("fixedVersion") + fixed_version = vuln_data.get("fixedVersion", "N/A") source_url = vuln_data.get("source", "N/A") vuln_description_from_wiz = vuln_data.get("description") score_str = vuln_data.get("score") @@ -214,7 +214,7 @@ def parse_os_packages(os_packages_data, test): vuln_name = vuln_data.get("name", "N/A") severity_str = vuln_data.get("severity") severity = WizcliParsers.get_severity(severity_str) - fixed_version = vuln_data.get("fixedVersion") + fixed_version = vuln_data.get("fixedVersion", "N/A") source_url = vuln_data.get("source", "N/A") vuln_description_from_wiz = vuln_data.get("description") score_str = vuln_data.get("score")