From 4d0a3b7fb5c30a59ce51c2c6c227c9c69a295bec Mon Sep 17 00:00:00 2001 From: ArturRibeiro-CX Date: Wed, 20 Nov 2024 23:18:09 +0000 Subject: [PATCH] fix unit tests and more some..in lint issues --- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 16 +++++---- .../query.rego | 6 ++-- .../gcp/cos_node_image_not_used/query.rego | 6 ++-- .../gcp/disk_encryption_disabled/query.rego | 31 +++++++++------- .../gcp/dnssec_using_rsasha1/query.rego | 6 ++-- .../query.rego | 6 ++-- .../query.rego | 16 +++++---- .../query.rego | 6 ++-- .../gcp/ip_aliasing_disabled/query.rego | 16 +++++---- .../gcp/ip_forwarding_enabled/query.rego | 6 ++-- .../query.rego | 6 ++-- .../gcp/network_policy_disabled/query.rego | 36 +++++++++++-------- .../gcp/node_auto_upgrade_disabled/query.rego | 21 ++++++----- .../query.rego | 10 +++--- .../query.rego | 6 ++-- .../gcp/private_cluster_disabled/query.rego | 16 +++++---- .../query.rego | 16 +++++---- .../rdp_access_is_not_restricted/query.rego | 6 ++-- .../gcp/shielded_vm_disabled/query.rego | 20 ++++++----- .../query.rego | 16 +++++---- .../query.rego | 16 +++++---- .../ssh_access_is_not_restricted/query.rego | 6 ++-- .../stackdriver_logging_disabled/query.rego | 11 +++--- .../query.rego | 11 +++--- .../gcp_bom/pd/query.rego | 6 ++-- .../gcp_bom/pst/query.rego | 6 ++-- .../gcp_bom/sb/query.rego | 6 ++-- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../k8s/auto_tls_set_to_true/query.rego | 2 +- .../query.rego | 4 +-- 36 files changed, 218 insertions(+), 132 deletions(-) diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego index a0130a1d207..2b7026e008b 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego @@ -19,7 +19,7 @@ shell_possibilities := { } CxPolicy[result] { - some document in input.keywords + some document in input.document resource := document.command[name][_] resource.Cmd == "run" value := resource.Value diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego b/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego index 82ce47d1c85..aee2303280a 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego @@ -3,7 +3,7 @@ package Cx import future.keywords.in CxPolicy[result] { - some document in input.keywords + some document in input.document resource := document.command[name][_] resource.Cmd == "copy" diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego index 81d90d3a605..5db109195d7 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego @@ -3,7 +3,7 @@ package Cx import future.keywords.in CxPolicy[result] { - some i, name + some name some document in input.document resource := document.command[name][_] resource.Cmd == "maintainer" diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/query.rego index bbeaaef6f65..7163f7df6c1 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties, "masterAuth") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -21,14 +23,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties.masterAuth, "username") not common_lib.valid_key(resource.properties.masterAuth, "password") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.masterAuth", [resource.name]), @@ -40,14 +43,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not count(resource.properties.masterAuth.username) > 0 not count(resource.properties.masterAuth.password) > 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.masterAuth", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/query.rego b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/query.rego index c523f89ae6f..dd6e19f7aca 100644 --- a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" resource.properties.networkInterfaces[idx].accessConfigs result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.networkInterfaces", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/query.rego b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/query.rego index af2b35f3bc4..264b7f13910 100644 --- a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.nodePool" not startswith(lower(resource.properties.config.imageType), "cos") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.config.imageType", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/query.rego index 04eb21e8762..1e916dc9f11 100644 --- a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" disks := resource.properties.disks[d] not common_lib.valid_key(disks, "diskEncryptionKey") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.disks", [resource.name]), @@ -22,7 +24,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" disks := resource.properties.disks[d] @@ -30,7 +33,7 @@ CxPolicy[result] { not common_lib.valid_key(disks.diskEncryptionKey, "kmsKeyName") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.disks.diskEncryptionKey", [resource.name]), @@ -44,14 +47,15 @@ CxPolicy[result] { fields := {"rawKey", "kmsKeyName"} CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" disks := resource.properties.disks[d] disks.diskEncryptionKey[fields[f]] == "" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.disks.diskEncryptionKey.%s", [resource.name, fields[f]]), @@ -65,14 +69,15 @@ CxPolicy[result] { valid_disk_resources := ["compute.beta.disk", "compute.v1.disk"] CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == valid_disk_resources[_] disk := resource.properties not common_lib.valid_key(disk, "diskEncryptionKey") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.disks", [resource.name]), @@ -84,7 +89,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == valid_disk_resources[_] disk := resource.properties @@ -92,7 +98,7 @@ CxPolicy[result] { not common_lib.valid_key(disk.diskEncryptionKey, "kmsKeyName") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.diskEncryptionKey", [resource.name]), @@ -104,14 +110,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == valid_disk_resources[_] disk := resource.properties disk.diskEncryptionKey[fields[f]] == "" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.diskEncryptionKey.%s", [resource.name, fields[f]]), diff --git a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/query.rego b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/query.rego index 514028c6323..ca11fb4e2af 100644 --- a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "dns.v1.managedZone" resource.properties.dnssecConfig.defaultKeySpecs[d].algorithm == "rsasha1" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.dnssecConfig.defaultKeySpecs", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/query.rego b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/query.rego index d413bc775be..81554a21a5b 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" resource.properties.legacyAbac.enabled == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.legacyAbac.enabled", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/query.rego index 99d6e3b1347..1b1413d876c 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties, "masterAuthorizedNetworksConfig") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -21,13 +23,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties.masterAuthorizedNetworksConfig, "enabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.masterAuthorizedNetworksConfig", [resource.name]), @@ -39,13 +42,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" resource.properties.masterAuthorizedNetworksConfig.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.masterAuthorizedNetworksConfig.enabled", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/query.rego index 9aefd8e22b7..03592966a31 100644 --- a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "storage.v1.bucket" resource.properties.iamConfiguration.uniformBucketLevelAccess.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.iamConfiguration.uniformBucketLevelAccess.enabled", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/query.rego index 9c0b13a94f0..91d059466fd 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties, "ipAllocationPolicy") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -21,13 +23,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties.ipAllocationPolicy, "useIpAliases") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.ipAllocationPolicy", [resource.name]), @@ -39,13 +42,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" resource.properties.ipAllocationPolicy.useIpAliases == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.ipAllocationPolicy.useIpAliases", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/query.rego b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/query.rego index 8e6f7771128..58c747eda68 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" resource.properties.canIpForward == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.canIpForward", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/query.rego b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/query.rego index 6f3642bf807..09b642fbe01 100644 --- a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "sqladmin.v1beta4.instance" startswith(resource.properties.databaseVersion, "MYSQL") @@ -11,7 +13,7 @@ CxPolicy[result] { resource.properties.settings.databaseFlags[f].value == "on" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.settings.databaseFlags[%d]", [resource.name, f]), diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/query.rego index 4602375e3ec..cafa9473537 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties, "networkPolicy") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -21,13 +23,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties.networkPolicy, "enabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.networkPolicy", [resource.name]), @@ -39,13 +42,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" resource.properties.networkPolicy.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.networkPolicy.enabled", [resource.name]), @@ -57,13 +61,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties, "addonsConfig") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -75,13 +80,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties.addonsConfig, "networkPolicyConfig") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.addonsConfig", [resource.name]), @@ -93,13 +99,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties.addonsConfig.networkPolicyConfig, "disabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.addonsConfig.networkPolicyConfig", [resource.name]), @@ -111,13 +118,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" resource.properties.addonsConfig.networkPolicyConfig.disabled == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.addonsConfig.networkPolicyConfig.disabled", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/query.rego index 6560c2467a0..64c6c355384 100644 --- a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties, "nodePools") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -21,13 +23,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties.nodePools, "management") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.nodePools", [resource.name]), @@ -39,13 +42,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties.nodePools.management, "autoUpgrade") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.nodePools.management", [resource.name]), @@ -57,13 +61,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" resource.properties.nodePools.management.autoUpgrade == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.nodePools.management.autoUpgrade", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/query.rego b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/query.rego index cbd5effbe60..3a5d19c06e0 100644 --- a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - member := input.document[i].resources[resource].accessControl.gcpIamPolicy.bindings[binding].members[memberIndex] + some document in input.document + member := document.resources[resource].accessControl.gcpIamPolicy.bindings[binding].members[memberIndex] startswith(member, "user:") endswith(member, "gmail.com") result := { - "documentId": input.document[i].id, - "resourceType": input.document[i].resources[resource].type, - "resourceName": input.document[i].resources[resource].name, + "documentId": document.id, + "resourceType": document.resources[resource].type, + "resourceName": document.resources[resource].name, "searchKey": sprintf("accessControl.gcpIamPolicy.bindings[%s].members.%s", [binding, member]), "issueType": "IncorrectValue", "keyExpectedValue": "'members' cannot contain Gmail account addresses", diff --git a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/query.rego b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/query.rego index 1c925261e48..d303cf49101 100644 --- a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" resource.properties.metadata.items[j].key == "enable-oslogin" resource.properties.metadata.items[j].value == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.metadata.items[%d]", [resource.name, j]), diff --git a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/query.rego index 518251d6ebc..a8a681ce757 100644 --- a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties, "privateClusterConfig") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -23,13 +25,14 @@ CxPolicy[result] { fields := {"enablePrivateEndpoint", "enablePrivateNodes"} CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties.privateClusterConfig, fields[f]) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.privateClusterConfig", [resource.name]), @@ -41,13 +44,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" resource.properties.privateClusterConfig[fields[f]] == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.privateClusterConfig.%s", [resource.name, fields[f]]), diff --git a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego index f63c23fdcb8..aa65610bcbd 100644 --- a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" not common_lib.valid_key(resource.properties, "metadata") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -21,13 +23,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" not haveField(resource.properties.metadata.items, "block-project-ssh-keys") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.metadata.items", [resource.name]), @@ -39,14 +42,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" resource.properties.metadata.items[j].key == "block-project-ssh-keys" resource.properties.metadata.items[j].value == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.metadata.items[%d].key", [resource.name, j]), diff --git a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/query.rego b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/query.rego index e24a695a381..4be1e9c9e67 100644 --- a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.firewall" properties := resource.properties @@ -12,7 +14,7 @@ CxPolicy[result] { isRDPport(properties.allowed[a]) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.allowed", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/query.rego index 5447dbdccfb..8f0d292de8d 100644 --- a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" not common_lib.valid_key(resource.properties, "shieldedInstanceConfig") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -23,14 +25,15 @@ CxPolicy[result] { fields := {"enableSecureBoot", "enableVtpm", "enableIntegrityMonitoring"} CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" - field := fields[_] + some field in fields not common_lib.valid_key(resource.properties.shieldedInstanceConfig, field) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.shieldedInstanceConfig", [resource.name]), @@ -42,14 +45,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.instance" - field := fields[_] + some field in fields resource.properties.shieldedInstanceConfig[field] == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.shieldedInstanceConfig.%s", [resource.name, field]), diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/query.rego index 5d78b5450f3..a4b8e2d0cde 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "sqladmin.v1beta4.instance" settings := resource.properties.settings not common_lib.valid_key(settings, "backupConfiguration") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.settings", [resource.name]), @@ -22,14 +24,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "sqladmin.v1beta4.instance" settings := resource.properties.settings not common_lib.valid_key(settings.backupConfiguration, "enabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.settings.backupConfiguration", [resource.name]), @@ -41,14 +44,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "sqladmin.v1beta4.instance" settings := resource.properties.settings settings.backupConfiguration.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.settings.backupConfiguration.enabled", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/query.rego index 4a03c033cc1..7f96834033a 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "sqladmin.v1beta4.instance" settings := resource.properties.settings not common_lib.valid_key(settings, "ipConfiguration") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.settings", [resource.name]), @@ -22,14 +24,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "sqladmin.v1beta4.instance" settings := resource.properties.settings not common_lib.valid_key(settings.ipConfiguration, "requireSsl") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.settings.ipConfiguration", [resource.name]), @@ -41,14 +44,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "sqladmin.v1beta4.instance" settings := resource.properties.settings settings.ipConfiguration.requireSsl == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.settings.ipConfiguration.requireSsl", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/query.rego b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/query.rego index 3610b866604..3b010996486 100644 --- a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "compute.v1.firewall" properties := resource.properties @@ -12,7 +14,7 @@ CxPolicy[result] { ports := isSSHport(properties.allowed[a]) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.allowed[%d].ports=%s", [resource.name, ports]), diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/query.rego index 37c6355da94..0726f4b745c 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties, "loggingService") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -21,13 +23,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" resource.properties.loggingService == "none" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.loggingService", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/query.rego index c4690ba51a4..1f34b686631 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" not common_lib.valid_key(resource.properties, "monitoringService") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), @@ -21,13 +23,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resources[idx] + some document in input.document + resource := document.resources[idx] resource.type == "container.v1.cluster" resource.properties.monitoringService == "none" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.type, "resourceName": resource.name, "searchKey": sprintf("resources.name={{%s}}.properties.monitoringService", [resource.name]), diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pd/query.rego b/assets/queries/googleDeploymentManager/gcp_bom/pd/query.rego index 223be645a7d..b716958b08d 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pd/query.rego +++ b/assets/queries/googleDeploymentManager/gcp_bom/pd/query.rego @@ -1,11 +1,13 @@ package Cx import data.generic.common as common_lib +import future.keywords.in valid_disk_resources := {"compute.beta.disk", "compute.v1.disk"} CxPolicy[result] { - gc_disk := input.document[i].resources[idx] + some document in input.document + gc_disk := document.resources[idx] gc_disk.type == valid_disk_resources[_] bom_output = { @@ -18,7 +20,7 @@ CxPolicy[result] { } result := { - "documentId": input.document[i].id, + "documentId": document.id, "searchKey": sprintf("resources.name={{%s}}", [gc_disk.name]), "issueType": "BillOfMaterials", "keyExpectedValue": "", diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pst/query.rego b/assets/queries/googleDeploymentManager/gcp_bom/pst/query.rego index 13dbe3533b6..620e0d91df5 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pst/query.rego +++ b/assets/queries/googleDeploymentManager/gcp_bom/pst/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - pubsub_topic := input.document[i].resources[idx] + some document in input.document + pubsub_topic := document.resources[idx] pubsub_topic.type == "pubsub.v1.topic" bom_output = { @@ -16,7 +18,7 @@ CxPolicy[result] { } result := { - "documentId": input.document[i].id, + "documentId": document.id, "searchKey": sprintf("resources.name={{%s}}", [pubsub_topic.name]), "issueType": "BillOfMaterials", "keyExpectedValue": "", diff --git a/assets/queries/googleDeploymentManager/gcp_bom/sb/query.rego b/assets/queries/googleDeploymentManager/gcp_bom/sb/query.rego index e02a12ec59a..04873440849 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/sb/query.rego +++ b/assets/queries/googleDeploymentManager/gcp_bom/sb/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - s_bucket := input.document[i].resources[idx] + some document in input.document + s_bucket := document.resources[idx] s_bucket.type == "storage.v1.bucket" bom_output = { @@ -16,7 +18,7 @@ CxPolicy[result] { } result := { - "documentId": input.document[i].id, + "documentId": document.id, "searchKey": sprintf("resources.name={{%s}}", [s_bucket.name]), "issueType": "BillOfMaterials", "keyExpectedValue": "", diff --git a/assets/queries/k8s/always_admit_admission_control_plugin_set/query.rego b/assets/queries/k8s/always_admit_admission_control_plugin_set/query.rego index afa72fe66b6..17625ee0b42 100644 --- a/assets/queries/k8s/always_admit_admission_control_plugin_set/query.rego +++ b/assets/queries/k8s/always_admit_admission_control_plugin_set/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { k8sLib.hasFlagWithValue(container, "--enable-admission-plugins", "AlwaysAdmit") result := { - "documentId": input.document[i].id, + "documentId": resource.id, "resourceType": resource.kind, "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), diff --git a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/query.rego b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/query.rego index 65ecda54aca..00f91280838 100644 --- a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/query.rego +++ b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { not k8sLib.hasFlagWithValue(container, "--enable-admission-plugins", "AlwaysPullImages") result := { - "documentId": input.document[i].id, + "documentId": resource.id, "resourceType": resource.kind, "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), diff --git a/assets/queries/k8s/authorization_mode_node_not_set/query.rego b/assets/queries/k8s/authorization_mode_node_not_set/query.rego index 1f8a66736f7..e5042061a21 100644 --- a/assets/queries/k8s/authorization_mode_node_not_set/query.rego +++ b/assets/queries/k8s/authorization_mode_node_not_set/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { not k8sLib.hasFlagWithValue(container, "--authorization-mode", "Node") result := { - "documentId": input.document[i].id, + "documentId": resource.id, "resourceType": resource.kind, "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/query.rego b/assets/queries/k8s/authorization_mode_rbac_not_set/query.rego index b275b014dfd..6ed48f288b7 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/query.rego +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { not k8sLib.hasFlagWithValue(container, "--authorization-mode", "RBAC") result := { - "documentId": input.document[i].id, + "documentId": resource.id, "resourceType": resource.kind, "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), diff --git a/assets/queries/k8s/auto_tls_set_to_true/query.rego b/assets/queries/k8s/auto_tls_set_to_true/query.rego index 11e83315e5b..0a781c584d1 100644 --- a/assets/queries/k8s/auto_tls_set_to_true/query.rego +++ b/assets/queries/k8s/auto_tls_set_to_true/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { k8sLib.hasFlag(container, "--auto-tls=true") result := { - "documentId": input.document[i].id, + "documentId": resource.id, "resourceType": resource.kind, "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego index be29f0a53f3..4573fddbeab 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego @@ -52,7 +52,7 @@ CxPolicy[result] { } CxPolicy[result] { - doc := input.document[i] + some doc in input.document doc.kind == "KubeletConfiguration" notValidClientCAFile(doc) @@ -76,7 +76,7 @@ notValidClientCAFile(doc) { } CxPolicy[result] { - doc := input.document[i] + some doc in input.document doc.kind == "KubeletConfiguration" not endswith(doc.authentication.x509.clientCAFile, ".pem") not endswith(doc.authentication.x509.clientCAFile, ".crt")