From 94f42c5af2e4d5dcad034716499436392dd32f3d Mon Sep 17 00:00:00 2001 From: BING_TIN Date: Thu, 24 Nov 2022 23:34:34 +0900 Subject: [PATCH] feat(terraform): add CKV NCP check about NKS(kubernetes) logging (#3855) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [22.10.27][add]LBListenerUsesSecureProtocols * [22.11.01][add]NksPublicAccess * [22.11.01][delete]ncp-13 rule * [22.11.01][fix]NksPublicAccess Description fix * [22.11.01][fix] test_NksPublicAccess.py * [22.11.05][add]NCP_LBTargetGroupUsingHTTPS * [22.11.05][delete]ncp_13_rule * [22.11.06][addNCP_LBNetworkPrivate * [22.11.08][add]CKV_NCP_18 * [22.11.08][add]NCP_CKV_39 * [22.11.08][fix]CKV_NCP_21 * [22.11.08][delete]CKVP_NCP_15 * [22.11.08]CKV_NCP_32 * Revert "[22.11.08]CKV_NCP_32" This reverts commit c3aa0172412220df75c5ab18b97e1d46233f14a8. * [22.11.08][add]CKV_NCP_32 * Revert "[22.11.08][add]CKV_NCP_32" This reverts commit b7341f79eb51380321f1af7e415a6526c127fa51. * [22.11.12][fix]CKV_NCP_27 * [22.11.12][fix]CKV_NCP_27 * [22.11.14][fix]NCP_CKV_19 * [22.11.16]CKV_NCP_19 BaseResourceNegativeValueCheck * [22.11.16][delet]CKV_NCP_27 * [22.11.21][fix]CKV_NCP_21 * Update checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py Co-authored-by: Anton Grübel Co-authored-by: Kuemjong Jeong Co-authored-by: Anton Grübel --- docs/5.Policy Index/all.md | 267 ++++++++++++++++--------------- docs/5.Policy Index/terraform.md | 215 ++++++++++++------------- 2 files changed, 242 insertions(+), 240 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 026409f6d26..4ffa76cf780 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -2899,139 +2899,140 @@ nav_order: 1 | 2888 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | | 2889 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | | 2890 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2891 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2892 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2893 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2894 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2895 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2896 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2897 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2898 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2899 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2900 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2901 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2902 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2903 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2904 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2905 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2906 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2907 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2908 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2909 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2910 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2911 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2912 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2913 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2914 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2915 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2916 | CKV_OPENAPI_1 | resource | securityDefinitions | Ensure that securityDefinitions is defined and not empty - version 2.0 files | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2917 | CKV_OPENAPI_2 | resource | security | Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2918 | CKV_OPENAPI_3 | resource | components | Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2919 | CKV_OPENAPI_4 | resource | security | Ensure that the global security field has rules defined | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2920 | CKV_OPENAPI_5 | resource | security | Ensure that security operations is not empty. | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2921 | CKV_OPENAPI_6 | resource | security | Ensure that security requirement defined in securityDefinitions - version 2.0 files | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2922 | CKV_OPENAPI_7 | resource | security | Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2923 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2924 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2925 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2926 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2927 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2928 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2929 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2930 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2931 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2932 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2933 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2934 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2935 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2936 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2937 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2938 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2939 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2940 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2941 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2942 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2943 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2944 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2945 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2946 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2947 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2948 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2949 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2950 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2951 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2952 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2953 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2954 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2955 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2956 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2957 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2958 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2959 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2960 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2961 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2962 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2963 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2964 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2965 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2966 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2967 | CKV_SECRET_10 | Secret Keyword | secrets | Secret Keyword | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2968 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2969 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2970 | CKV_SECRET_13 | Private Key | secrets | Private Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2971 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2972 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2973 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2974 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2975 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2976 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2977 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2978 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2979 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2980 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2981 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2982 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2983 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2984 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2985 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2986 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2987 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2988 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2989 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2990 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2991 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2992 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2993 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2994 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2995 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2996 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2997 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2998 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 2999 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3000 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3001 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3002 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3003 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3004 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3005 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3006 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3007 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3008 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3009 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3010 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3011 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3012 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3013 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3014 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3015 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3016 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3017 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3018 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3019 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3020 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3021 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3022 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 3023 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2891 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2892 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2893 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2894 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2895 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2896 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2897 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2898 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2899 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2900 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2901 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2902 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2903 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2904 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2905 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2906 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2907 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2908 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2909 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2910 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2911 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2912 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2913 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2914 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2915 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2916 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2917 | CKV_OPENAPI_1 | resource | securityDefinitions | Ensure that securityDefinitions is defined and not empty - version 2.0 files | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2918 | CKV_OPENAPI_2 | resource | security | Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2919 | CKV_OPENAPI_3 | resource | components | Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2920 | CKV_OPENAPI_4 | resource | security | Ensure that the global security field has rules defined | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2921 | CKV_OPENAPI_5 | resource | security | Ensure that security operations is not empty. | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2922 | CKV_OPENAPI_6 | resource | security | Ensure that security requirement defined in securityDefinitions - version 2.0 files | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2923 | CKV_OPENAPI_7 | resource | security | Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files | OpenAPI | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2924 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2925 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2926 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2927 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2928 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2929 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2930 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2931 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2932 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2933 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2934 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2935 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2936 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2937 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2938 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2939 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2940 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2941 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2942 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2943 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2944 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2945 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2946 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2947 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2948 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2949 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2950 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2951 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2952 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2953 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2954 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2955 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2956 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2957 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2958 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2959 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2960 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2961 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2962 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2963 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2964 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2965 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2966 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2967 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2968 | CKV_SECRET_10 | Secret Keyword | secrets | Secret Keyword | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2969 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2970 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2971 | CKV_SECRET_13 | Private Key | secrets | Private Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2972 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2973 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2974 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2975 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2976 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2977 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | secrets | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2978 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2979 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2980 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2981 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2982 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2983 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2984 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2985 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2986 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2987 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2988 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2989 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2990 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2991 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2992 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2993 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2994 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2995 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2996 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2997 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2998 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 2999 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3000 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3001 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3002 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3003 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3004 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3005 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3006 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3007 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3008 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3009 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3010 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3011 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3012 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3013 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3014 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3015 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3016 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3017 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3018 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3019 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3020 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3021 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3022 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3023 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 3024 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | --- diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 8acf9605c6b..82d559a49a9 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -1661,113 +1661,114 @@ nav_order: 1 | 1650 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | | 1651 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | | 1652 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1653 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1654 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1655 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1656 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1657 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1658 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1659 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1660 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1661 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1662 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1663 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1664 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1665 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1666 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1667 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1668 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1669 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1670 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1671 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1672 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1673 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1674 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1675 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1676 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1677 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1678 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1679 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1680 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1681 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1682 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1683 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1684 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1685 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1686 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1687 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1688 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1689 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1690 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1691 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1692 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1693 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1694 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1695 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1696 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1697 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1698 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1699 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1700 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1701 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1702 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1703 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1704 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1705 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1706 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1707 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1708 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1709 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1710 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1711 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1712 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1713 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1714 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1715 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1716 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1717 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1718 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1719 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1720 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1721 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1722 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1723 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1724 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1725 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1726 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1727 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1728 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1729 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1730 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1731 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1732 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1733 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1734 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1735 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1736 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1737 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1738 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1739 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1740 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1741 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1742 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1743 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1744 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1745 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1746 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1747 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1748 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1749 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1750 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1751 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1752 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1753 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1754 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1755 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1756 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1757 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1758 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | -| 1759 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1653 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1654 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1655 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1656 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1657 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1658 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1659 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1660 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1661 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1662 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1663 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1664 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1665 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1666 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1667 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1668 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1669 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1670 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1671 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1672 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1673 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1674 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1675 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1676 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1677 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1678 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1679 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1680 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1681 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1682 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1683 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1684 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1685 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1686 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1687 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1688 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1689 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1690 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1691 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1692 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1693 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1694 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1695 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1696 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1697 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1698 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1699 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1700 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1701 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1702 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1703 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1704 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1705 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1706 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1707 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1708 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1709 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1710 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1711 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1712 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1713 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1714 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1715 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1716 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1717 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1718 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1719 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1720 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1721 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1722 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1723 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1724 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1725 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1726 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1727 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1728 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1729 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1730 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1731 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1732 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1733 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1734 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1735 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1736 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1737 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1738 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1739 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1740 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1741 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1742 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1743 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1744 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1745 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1746 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1747 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1748 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1749 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1750 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1751 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1752 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1753 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1754 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1755 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1756 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1757 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1758 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1759 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | +| 1760 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | https://github.com/bridgecrewio/checkov/tree/master/checkov | ---