{"id":13531059,"url":"https://github.com/bridgecrewio/terragoat","last_synced_at":"2025-04-23T20:52:24.924Z","repository":{"id":37028637,"uuid":"250592027","full_name":"bridgecrewio/terragoat","owner":"bridgecrewio","description":"TerraGoat is Bridgecrew's \"Vulnerable by Design\" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.","archived":false,"fork":false,"pushed_at":"2025-03-27T13:07:46.000Z","size":759,"stargazers_count":1190,"open_issues_count":48,"forks_count":5387,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-04-10T00:00:45.584Z","etag":null,"topics":["aws-security","azure-security","cloud-security","devsecops","gcp-security","goat","terraform"],"latest_commit_sha":null,"homepage":"https://www.bridgecrew.io/","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bridgecrewio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-27T16:56:31.000Z","updated_at":"2025-04-01T06:36:17.000Z","dependencies_parsed_at":"2024-01-13T10:13:06.911Z","dependency_job_id":"c9faf856-0c0c-4bbf-baf0-2ee1c1f473e7","html_url":"https://github.com/bridgecrewio/terragoat","commit_stats":{"total_commits":208,"total_committers":30,"mean_commits":6.933333333333334,"dds":0.7355769230769231,"last_synced_commit":"729f8da62c6a85ce4af5ad3d123de97776d954c4"},"previous_names":[],"tags_count":44,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fterragoat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fterragoat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fterragoat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fterragoat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bridgecrewio","download_url":"https://codeload.github.com/bridgecrewio/terragoat/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250514756,"owners_count":21443208,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-security","azure-security","cloud-security","devsecops","gcp-security","goat","terraform"],"created_at":"2024-08-01T07:00:59.455Z","updated_at":"2025-04-23T20:52:24.900Z","avatar_url":"https://github.com/bridgecrewio.png","language":"HCL","funding_links":[],"categories":["Resources","Tools","HCL","Sorted by Technology and Category","Cloud Security","Penetration testing/learning","Other Awesome Lists","Training Labs","IaC Security Scanners"],"sub_categories":["Challenges","Intentionally Vulnerable Applications","Vulnerable by design","AWS","Intentionally Vulnerable Terraform"],"readme":"# TerraGoat - Vulnerable Terraform Infrastructure\n\n[![Maintained by Bridgecrew.io](https://img.shields.io/badge/maintained%20by-bridgecrew.io-blueviolet)](https://bridgecrew.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=terragoat)\n[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/bridgecrewio/terragoat/general)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fterragoat\u0026benchmark=INFRASTRUCTURE+SECURITY)\n[![CIS Azure](https://www.bridgecrew.cloud/badges/github/bridgecrewio/terragoat/cis_azure)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fterragoat\u0026benchmark=CIS+AZURE+V1.1)\n[![CIS GCP](https://www.bridgecrew.cloud/badges/github/bridgecrewio/terragoat/cis_gcp)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fterragoat\u0026benchmark=CIS+GCP+V1.1)\n[![CIS AWS](https://www.bridgecrew.cloud/badges/github/bridgecrewio/terragoat/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fterragoat\u0026benchmark=CIS+AWS+V1.2)\n[![PCI](https://www.bridgecrew.cloud/badges/github/bridgecrewio/terragoat/pci)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fterragoat\u0026benchmark=PCI-DSS+V3.2)\n![Terraform Version](https://img.shields.io/badge/tf-%3E%3D0.12.0-blue.svg) \n[![slack-community](https://img.shields.io/badge/Slack-4A154B?style=plastic\u0026logo=slack\u0026logoColor=white)](https://slack.bridgecrew.io/)\n\n\nTerraGoat is Bridgecrew's \"Vulnerable by Design\" Terraform repository.\n![Terragoat](terragoat-logo.png)\n\nTerraGoat is Bridgecrew's \"Vulnerable by Design\" Terraform repository.\nTerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.\n\n## Table of Contents\n\n* [Introduction](#introduction)\n* [Getting Started](#getting-started)\n * [AWS](#aws-setup)\n * [Azure](#azure-setup)\n * [GCP](#gcp-setup)\n* [Contributing](#contributing)\n* [Support](#support)\n\n## Introduction\n\nTerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like [Bridgecrew](https://bridgecrew.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=terragoat) \u0026 [Checkov](https://github.com/bridgecrewio/checkov/), inline-linters, pre-commit hooks or other code scanning methods.\n\nTerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.\n\n## Important notes\n\n* **Where to get help:** the [Bridgecrew Community Slack](https://slack.bridgecrew.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=terragoat)\n\nBefore you proceed please take a not of these warning:\n\u003e :warning: TerraGoat creates intentionally vulnerable AWS resources into your account. **DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.**\n\n## Requirements\n\n* Terraform 0.12\n* aws cli\n* azure cli\n\nTo prevent vulnerable infrastructure from arriving to production see: [Bridgecrew](https://bridgecrew.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=terragoat) \u0026 [checkov](https://github.com/bridgecrewio/checkov/), the open source static analysis tool for infrastructure as code.\n\n## Getting started\n\n### AWS Setup\n\n#### Installation (AWS)\n\nYou can deploy multiple TerraGoat stacks in a single AWS account using the parameter `TF_VAR_environment`.\n\n#### Create an S3 Bucket backend to keep Terraform state\n\n```bash\nexport TERRAGOAT_STATE_BUCKET=\"mydevsecops-bucket\"\nexport TF_VAR_company_name=acme\nexport TF_VAR_environment=mydevsecops\nexport TF_VAR_region=\"us-west-2\"\n\naws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \\\n --region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region\n\n# Enable versioning\naws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled\n\n# Enable encryption\naws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{\n \"Rules\": [\n {\n \"ApplyServerSideEncryptionByDefault\": {\n \"SSEAlgorithm\": \"aws:kms\"\n }\n }\n ]\n}'\n```\n\n#### Apply TerraGoat (AWS)\n\n```bash\ncd terraform/aws/\nterraform init \\\n-backend-config=\"bucket=$TERRAGOAT_STATE_BUCKET\" \\\n-backend-config=\"key=$TF_VAR_company_name-$TF_VAR_environment.tfstate\" \\\n-backend-config=\"region=$TF_VAR_region\"\n\nterraform apply\n```\n\n#### Remove TerraGoat (AWS)\n\n```bash\nterraform destroy\n```\n\n#### Creating multiple TerraGoat AWS stacks\n\n```bash\ncd terraform/aws/\nexport TERRAGOAT_ENV=$TF_VAR_environment\nexport TERRAGOAT_STACKS_NUM=5\nfor i in $(seq 1 $TERRAGOAT_STACKS_NUM)\ndo\n export TF_VAR_environment=$TERRAGOAT_ENV$i\n terraform init \\\n -backend-config=\"bucket=$TERRAGOAT_STATE_BUCKET\" \\\n -backend-config=\"key=$TF_VAR_company_name-$TF_VAR_environment.tfstate\" \\\n -backend-config=\"region=$TF_VAR_region\"\n\n terraform apply -auto-approve\ndone\n```\n\n#### Deleting multiple TerraGoat stacks (AWS)\n\n```bash\ncd terraform/aws/\nexport TF_VAR_environment = $TERRAGOAT_ENV\nfor i in $(seq 1 $TERRAGOAT_STACKS_NUM)\ndo\n export TF_VAR_environment=$TERRAGOAT_ENV$i\n terraform init \\\n -backend-config=\"bucket=$TERRAGOAT_STATE_BUCKET\" \\\n -backend-config=\"key=$TF_VAR_company_name-$TF_VAR_environment.tfstate\" \\\n -backend-config=\"region=$TF_VAR_region\"\n\n terraform destroy -auto-approve\ndone\n```\n\n### Azure Setup\n\n#### Installation (Azure)\n\nYou can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter `TF_VAR_environment`.\n\n#### Create an Azure Storage Account backend to keep Terraform state\n\n```bash\nexport TERRAGOAT_RESOURCE_GROUP=\"TerraGoatRG\"\nexport TERRAGOAT_STATE_STORAGE_ACCOUNT=\"mydevsecopssa\"\nexport TERRAGOAT_STATE_CONTAINER=\"mydevsecops\"\nexport TF_VAR_environment=\"dev\"\nexport TF_VAR_region=\"westus\"\n\n# Create resource group\naz group create --location $TF_VAR_region --name $TERRAGOAT_RESOURCE_GROUP\n\n# Create storage account\naz storage account create --name $TERRAGOAT_STATE_STORAGE_ACCOUNT --resource-group $TERRAGOAT_RESOURCE_GROUP --location $TF_VAR_region --sku Standard_LRS --kind StorageV2 --https-only true --encryption-services blob\n\n# Get storage account key\nACCOUNT_KEY=$(az storage account keys list --resource-group $TERRAGOAT_RESOURCE_GROUP --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --query [0].value -o tsv)\n\n# Create blob container\naz storage container create --name $TERRAGOAT_STATE_CONTAINER --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --account-key $ACCOUNT_KEY\n```\n\n#### Apply TerraGoat (Azure)\n\n```bash\ncd terraform/azure/\nterraform init -reconfigure -backend-config=\"resource_group_name=$TERRAGOAT_RESOURCE_GROUP\" \\\n -backend-config \"storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT\" \\\n -backend-config=\"container_name=$TERRAGOAT_STATE_CONTAINER\" \\\n -backend-config \"key=$TF_VAR_environment.terraform.tfstate\"\n\nterraform apply\n```\n\n#### Remove TerraGoat (Azure)\n\n```bash\nterraform destroy\n```\n\n### GCP Setup\n\n#### Installation (GCP)\n\nYou can deploy multiple TerraGoat stacks in a single GCP project using the parameter `TF_VAR_environment`.\n\n#### Create a GCS backend to keep Terraform state\n\nTo use terraform, a Service Account and matching set of credentials are required.\nIf they do not exist, they must be manually created for the relevant project.\nTo create the Service Account:\n1. Sign into your GCP project, go to `IAM` \u003e `Service Accounts`.\n2. Click the `CREATE SERVICE ACCOUNT`.\n3. Give a name to your service account (for example - `terragoat`) and click `CREATE`.\n4. Grant the Service Account the `Project` \u003e `Editor` role and click `CONTINUE`.\n5. Click `DONE`.\n\nTo create the credentials:\n1. Sign into your GCP project, go to `IAM` \u003e `Service Accounts` and click on the relevant Service Account.\n2. Click `ADD KEY` \u003e `Create new key` \u003e `JSON` and click `CREATE`. This will create a `.json` file and download it to your computer.\n\nWe recommend saving the key with a nicer name than the auto-generated one (i.e. `terragoat_credentials.json`), and storing the resulting JSON file inside `terraform/gcp` directory of terragoat.\nOnce the credentials are set up, create the BE configuration as follows:\n\n```bash\nexport TF_VAR_environment=\"dev\"\nexport TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat\nexport TF_VAR_credentials_path=\u003cPATH_TO_CREDNETIALS_FILE\u003e # example: export TF_VAR_credentials_path=terragoat_credentials.json\nexport TF_VAR_project=\u003cYOUR_PROJECT_NAME_HERE\u003e\n\n# Create storage bucket\ngsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}\n```\n\n#### Apply TerraGoat (GCP)\n\n```bash\ncd terraform/gcp/\nterraform init -reconfigure -backend-config=\"bucket=$TF_TERRAGOAT_STATE_BUCKET\" \\\n -backend-config \"credentials=$TF_VAR_credentials_path\" \\\n -backend-config \"prefix=terragoat/${TF_VAR_environment}\"\n\nterraform apply\n```\n\n#### Remove TerraGoat (GCP)\n\n```bash\nterraform destroy\n```\n\n## Bridgecrew's IaC herd of goats\n\n* [CfnGoat](https://github.com/bridgecrewio/cfngoat) - Vulnerable by design Cloudformation template\n* [TerraGoat](https://github.com/bridgecrewio/terragoat) - Vulnerable by design Terraform stack\n* [CDKGoat](https://github.com/bridgecrewio/cdkgoat) - Vulnerable by design CDK application\n* [kustomizegoat](https://github.com/bridgecrewio/kustomizegoat) - Vulnerable by design kustomize deployment\n## Contributing\n\nContribution is welcomed!\n\nWe would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.\n\n## Support\n\n[Bridgecrew](https://bridgecrew.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=terragoat) builds and maintains TerraGoat to encourage the adoption of policy-as-code.\n\nIf you need direct support you can contact us at [info@bridgecrew.io](mailto:info@bridgecrew.io).\n\n## Existing vulnerabilities (Auto-Generated)\n### terraform scan results:\n\n| | check_id | file | resource | check_name | guideline |\n|-----|---------------|-------------------------------|---------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|\n| 0 | CKV_ALI_10 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure OSS bucket has versioning enabled | |\n| 1 | CKV_ALI_12 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure the OSS bucket has access logging enabled | |\n| 2 | CKV_ALI_11 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure OSS bucket has transfer Acceleration enabled | |\n| 3 | CKV_ALI_1 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Alibaba Cloud OSS bucket accessible to public | |\n| 4 | CKV_ALI_6 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure OSS bucket is encrypted with Customer Master Key | |\n| 5 | CKV_ALI_36 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance has log_disconnections enabled | |\n| 6 | CKV_ALI_37 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance has log_connections enabled | |\n| 7 | CKV_ALI_34 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance is set to auto upgrade minor versions | |\n| 8 | CKV_ALI_20 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance uses SSL | |\n| 9 | CKV_ALI_30 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance auto upgrades for minor versions | |\n| 10 | CKV_ALI_35 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance has log_duration enabled | |\n| 11 | CKV_ALI_9 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure database instance is not public | |\n| 12 | CKV_ALI_25 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS Instance SQL Collector Retention Period should be greater than 180 | |\n| 13 | CKV_ALI_4 | /alicloud/trail.tf | alicloud_actiontrail_trail.fail | Ensure Action Trail Logging for all regions | |\n| 14 | CKV_ALI_5 | /alicloud/trail.tf | alicloud_actiontrail_trail.fail | Ensure Action Trail Logging for all events | |\n| 15 | CKV_ALI_10 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure OSS bucket has versioning enabled | |\n| 16 | CKV_ALI_12 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure the OSS bucket has access logging enabled | |\n| 17 | CKV_ALI_11 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure OSS bucket has transfer Acceleration enabled | |\n| 18 | CKV_ALI_6 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure OSS bucket is encrypted with Customer Master Key | |\n| 19 | CKV_AWS_157 | /aws/db-app.tf | aws_db_instance.default | Ensure that RDS instances have Multi-AZ enabled | https://docs.bridgecrew.io/docs/general_73 |\n| 20 | CKV_AWS_161 | /aws/db-app.tf | aws_db_instance.default | Ensure RDS database has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-database-has-iam-authentication-enabled |\n| 21 | CKV_AWS_16 | /aws/db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS is securely encrypted at rest | https://docs.bridgecrew.io/docs/general_4 |\n| 22 | CKV_AWS_226 | /aws/db-app.tf | aws_db_instance.default | Ensure DB instance gets all minor upgrades automatically | |\n| 23 | CKV_AWS_17 | /aws/db-app.tf | aws_db_instance.default | Ensure all data stored in RDS is not publicly accessible | https://docs.bridgecrew.io/docs/public_2 |\n| 24 | CKV_AWS_118 | /aws/db-app.tf | aws_db_instance.default | Ensure that enhanced monitoring is enabled for Amazon RDS instances | https://docs.bridgecrew.io/docs/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances |\n| 25 | CKV_AWS_129 | /aws/db-app.tf | aws_db_instance.default | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | https://docs.bridgecrew.io/docs/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled |\n| 26 | CKV_AWS_133 | /aws/db-app.tf | aws_db_instance.default | Ensure that RDS instances has backup policy | https://docs.bridgecrew.io/docs/ensure-that-rds-instances-have-backup-policy |\n| 27 | CKV_AWS_23 | /aws/db-app.tf | aws_security_group.default | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |\n| 28 | CKV_AWS_23 | /aws/db-app.tf | aws_security_group_rule.ingress | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |\n| 29 | CKV_AWS_23 | /aws/db-app.tf | aws_security_group_rule.egress | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |\n| 30 | CKV_AWS_79 | /aws/db-app.tf | aws_instance.db_app | Ensure Instance Metadata Service Version 1 is not enabled | https://docs.bridgecrew.io/docs/bc_aws_general_31 |\n| 31 | CKV_AWS_135 | /aws/db-app.tf | aws_instance.db_app | Ensure that EC2 is EBS optimized | https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized |\n| 32 | CKV_AWS_8 | /aws/db-app.tf | aws_instance.db_app | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | https://docs.bridgecrew.io/docs/general_13 |\n| 33 | CKV_AWS_126 | /aws/db-app.tf | aws_instance.db_app | Ensure that detailed monitoring is enabled for EC2 instances | https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances |\n| 34 | CKV_AWS_79 | /aws/ec2.tf | aws_instance.web_host | Ensure Instance Metadata Service Version 1 is not enabled | https://docs.bridgecrew.io/docs/bc_aws_general_31 |\n| 35 | CKV_AWS_135 | /aws/ec2.tf | aws_instance.web_host | Ensure that EC2 is EBS optimized | https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized |\n| 36 | CKV_AWS_8 | /aws/ec2.tf | aws_instance.web_host | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | https://docs.bridgecrew.io/docs/general_13 |\n| 37 | CKV_AWS_46 | /aws/ec2.tf | aws_instance.web_host | Ensure no hard-coded secrets exist in EC2 user data | https://docs.bridgecrew.io/docs/bc_aws_secrets_1 |\n| 38 | CKV_AWS_126 | /aws/ec2.tf | aws_instance.web_host | Ensure that detailed monitoring is enabled for EC2 instances | https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances |\n| 39 | CKV_AWS_3 | /aws/ec2.tf | aws_ebs_volume.web_host_storage | Ensure all data stored in the EBS is securely encrypted | https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume |\n| 40 | CKV_AWS_189 | /aws/ec2.tf | aws_ebs_volume.web_host_storage | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | https://docs.bridgecrew.io/docs/bc_aws_general_109 |\n| 41 | CKV_AWS_23 | /aws/ec2.tf | aws_security_group.web-node | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |\n| 42 | CKV_AWS_260 | /aws/ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | |\n| 43 | CKV_AWS_24 | /aws/ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | https://docs.bridgecrew.io/docs/networking_1-port-security |\n| 44 | CKV_AWS_130 | /aws/ec2.tf | aws_subnet.web_subnet | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |\n| 45 | CKV_AWS_130 | /aws/ec2.tf | aws_subnet.web_subnet2 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |\n| 46 | CKV_AWS_136 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure that ECR repositories are encrypted using KMS | https://docs.bridgecrew.io/docs/ensure-that-ecr-repositories-are-encrypted |\n| 47 | CKV_AWS_51 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure ECR Image Tags are immutable | https://docs.bridgecrew.io/docs/bc_aws_general_24 |\n| 48 | CKV_AWS_163 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure ECR image scanning on push is enabled | https://docs.bridgecrew.io/docs/general_8 |\n| 49 | CKV_AWS_130 | /aws/eks.tf | aws_subnet.eks_subnet1 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |\n| 50 | CKV_AWS_130 | /aws/eks.tf | aws_subnet.eks_subnet2 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |\n| 51 | CKV_AWS_39 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint disabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_2 |\n| 52 | CKV_AWS_38 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_1 |\n| 53 | CKV_AWS_37 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_4 |\n| 54 | CKV_AWS_58 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3 |\n| 55 | CKV_AWS_127 | /aws/elb.tf | aws_elb.weblb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | https://docs.bridgecrew.io/docs/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager |\n| 56 | CKV_AWS_92 | /aws/elb.tf | aws_elb.weblb | Ensure the ELB has access logging enabled | https://docs.bridgecrew.io/docs/bc_aws_logging_23 |\n| 57 | CKV_AWS_111 | /aws/es.tf | aws_iam_policy_document.policy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint |\n| 58 | CKV_AWS_109 | /aws/es.tf | aws_iam_policy_document.policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint |\n| 59 | CKV_AWS_137 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure that Elasticsearch is configured inside a VPC | https://docs.bridgecrew.io/docs/ensure-that-elasticsearch-is-configured-inside-a-vpc |\n| 60 | CKV_AWS_247 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure all data stored in the Elasticsearch is encrypted with a CMK | |\n| 61 | CKV_AWS_248 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure that Elasticsearch is not using the default Security Group | |\n| 62 | CKV_AWS_228 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Verify Elasticsearch domain is using an up to date TLS policy | |\n| 63 | CKV_AWS_84 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure Elasticsearch Domain Logging is enabled | https://docs.bridgecrew.io/docs/elasticsearch_7 |\n| 64 | CKV_AWS_5 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure all data stored in the Elasticsearch is securely encrypted at rest | https://docs.bridgecrew.io/docs/elasticsearch_3-enable-encryptionatrest |\n| 65 | CKV_AWS_7 | /aws/kms.tf | aws_kms_key.logs_key | Ensure rotation for customer created CMKs is enabled | https://docs.bridgecrew.io/docs/logging_8 |\n| 66 | CKV_AWS_115 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit |\n| 67 | CKV_AWS_45 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure no hard-coded secrets exist in lambda environment | https://docs.bridgecrew.io/docs/bc_aws_secrets_3 |\n| 68 | CKV_AWS_50 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | X-ray tracing is enabled for Lambda | https://docs.bridgecrew.io/docs/bc_aws_serverless_4 |\n| 69 | CKV_AWS_117 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure that AWS Lambda function is configured inside a VPC | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 |\n| 70 | CKV_AWS_173 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Check encryption settings for Lambda environmental variable | https://docs.bridgecrew.io/docs/bc_aws_serverless_5 |\n| 71 | CKV_AWS_116 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq |\n| 72 | CKV_AWS_44 | /aws/neptune.tf | aws_neptune_cluster.default | Ensure Neptune storage is securely encrypted | https://docs.bridgecrew.io/docs/general_18 |\n| 73 | CKV_AWS_101 | /aws/neptune.tf | aws_neptune_cluster.default | Ensure Neptune logging is enabled | https://docs.bridgecrew.io/docs/bc_aws_logging_24 |\n| 74 | CKV_AWS_41 | /aws/providers.tf | aws.plain_text_access_keys_provider | Ensure no hard coded AWS access key and secret key exists in provider | https://docs.bridgecrew.io/docs/bc_aws_secrets_5 |\n| 75 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |\n| 76 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |\n| 77 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |\n| 78 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |\n| 79 | CKV_AWS_133 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that RDS instances has backup policy | https://docs.bridgecrew.io/docs/ensure-that-rds-instances-have-backup-policy |\n| 80 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |\n| 81 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |\n| 82 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |\n| 83 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |\n| 84 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |\n| 85 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |\n| 86 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |\n| 87 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |\n| 88 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |\n| 89 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |\n| 90 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |\n| 91 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |\n| 92 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |\n| 93 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |\n| 94 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |\n| 95 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |\n| 96 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |\n| 97 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |\n| 98 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |\n| 99 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |\n| 100 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |\n| 101 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |\n| 102 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |\n| 103 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |\n| 104 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |\n| 105 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |\n| 106 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |\n| 107 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |\n| 108 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |\n| 109 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |\n| 110 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |\n| 111 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |\n| 112 | CKV_AWS_186 | /aws/s3.tf | aws_s3_bucket_object.data_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | https://docs.bridgecrew.io/docs/bc_aws_general_106 |\n| 113 | CKV_AZURE_116 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS uses Azure Policies Add-on | https://docs.bridgecrew.io/docs/ensure-that-aks-uses-azure-policies-add-on |\n| 114 | CKV_AZURE_8 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure Kubernetes Dashboard is disabled | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_5 |\n| 115 | CKV_AZURE_4 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS logging to Azure Monitoring is Configured | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_1 |\n| 116 | CKV_AZURE_117 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS uses disk encryption set | https://docs.bridgecrew.io/docs/ensure-that-aks-uses-disk-encryption-set |\n| 117 | CKV_AZURE_115 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS enables private clusters | https://docs.bridgecrew.io/docs/ensure-that-aks-enables-private-clusters |\n| 118 | CKV_AZURE_141 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS local admin account is disabled | |\n| 119 | CKV_AZURE_7 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS cluster has Network Policy configured | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_4 |\n| 120 | CKV_AZURE_6 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_3 |\n| 121 | CKV_AZURE_5 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure RBAC is enabled on AKS clusters | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_2 |\n| 122 | CKV_AZURE_15 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure web app is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/bc_azr_networking_6 |\n| 123 | CKV_AZURE_78 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure FTP deployments are disabled | https://docs.bridgecrew.io/docs/ensure-ftp-deployments-are-disabled |\n| 124 | CKV_AZURE_18 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that 'HTTP Version' is the latest if used to run the web app | https://docs.bridgecrew.io/docs/bc_azr_networking_8 |\n| 125 | CKV_AZURE_88 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that app services use Azure Files | https://docs.bridgecrew.io/docs/ensure-that-app-services-use-azure-files |\n| 126 | CKV_AZURE_13 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure App Service Authentication is set on Azure App Service | https://docs.bridgecrew.io/docs/bc_azr_general_2 |\n| 127 | CKV_AZURE_71 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that Managed identity provider is enabled for app services | https://docs.bridgecrew.io/docs/ensure-that-managed-identity-provider-is-enabled-for-app-services |\n| 128 | CKV_AZURE_80 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | https://docs.bridgecrew.io/docs/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app |\n| 129 | CKV_AZURE_65 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that App service enables detailed error messages | https://docs.bridgecrew.io/docs/tbdensure-that-app-service-enables-detailed-error-messages |\n| 130 | CKV_AZURE_63 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that App service enables HTTP logging | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-http-logging |\n| 131 | CKV_AZURE_17 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | https://docs.bridgecrew.io/docs/bc_azr_networking_7 |\n| 132 | CKV_AZURE_16 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that Register with Azure Active Directory is enabled on App Service | https://docs.bridgecrew.io/docs/bc_azr_iam_1 |\n| 133 | CKV_AZURE_66 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that App service enables failed request tracing | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-failed-request-tracing |\n| 134 | CKV_AZURE_14 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | https://docs.bridgecrew.io/docs/bc_azr_networking_5 |\n| 135 | CKV_AZURE_78 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure FTP deployments are disabled | https://docs.bridgecrew.io/docs/ensure-ftp-deployments-are-disabled |\n| 136 | CKV_AZURE_18 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that 'HTTP Version' is the latest if used to run the web app | https://docs.bridgecrew.io/docs/bc_azr_networking_8 |\n| 137 | CKV_AZURE_88 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that app services use Azure Files | https://docs.bridgecrew.io/docs/ensure-that-app-services-use-azure-files |\n| 138 | CKV_AZURE_13 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure App Service Authentication is set on Azure App Service | https://docs.bridgecrew.io/docs/bc_azr_general_2 |\n| 139 | CKV_AZURE_71 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that Managed identity provider is enabled for app services | https://docs.bridgecrew.io/docs/ensure-that-managed-identity-provider-is-enabled-for-app-services |\n| 140 | CKV_AZURE_80 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | https://docs.bridgecrew.io/docs/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app |\n| 141 | CKV_AZURE_65 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that App service enables detailed error messages | https://docs.bridgecrew.io/docs/tbdensure-that-app-service-enables-detailed-error-messages |\n| 142 | CKV_AZURE_63 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that App service enables HTTP logging | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-http-logging |\n| 143 | CKV_AZURE_17 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | https://docs.bridgecrew.io/docs/bc_azr_networking_7 |\n| 144 | CKV_AZURE_16 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that Register with Azure Active Directory is enabled on App Service | https://docs.bridgecrew.io/docs/bc_azr_iam_1 |\n| 145 | CKV_AZURE_66 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that App service enables failed request tracing | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-failed-request-tracing |\n| 146 | CKV_AZURE_1 | /azure/instance.tf | azurerm_linux_virtual_machine.linux_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | https://docs.bridgecrew.io/docs/bc_azr_networking_1 |\n| 147 | CKV_AZURE_50 | /azure/instance.tf | azurerm_linux_virtual_machine.linux_machine | Ensure Virtual Machine Extensions are not Installed | https://docs.bridgecrew.io/docs/bc_azr_general_14 |\n| 148 | CKV_AZURE_149 | /azure/instance.tf | azurerm_linux_virtual_machine.linux_machine | Ensure that Virtual machine does not enable password authentication | |\n| 149 | CKV_AZURE_151 | /azure/instance.tf | azurerm_windows_virtual_machine.windows_machine | Ensure Windows VM enables encryption | |\n| 150 | CKV_AZURE_50 | /azure/instance.tf | azurerm_windows_virtual_machine.windows_machine | Ensure Virtual Machine Extensions are not Installed | https://docs.bridgecrew.io/docs/bc_azr_general_14 |\n| 151 | CKV_AZURE_109 | /azure/key_vault.tf | azurerm_key_vault.example | Ensure that key vault allows firewall rules settings | https://docs.bridgecrew.io/docs/ensure-that-key-vault-allows-firewall-rules-settings |\n| 152 | CKV_AZURE_42 | /azure/key_vault.tf | azurerm_key_vault.example | Ensure the key vault is recoverable | https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable |\n| 153 | CKV_AZURE_110 | /azure/key_vault.tf | azurerm_key_vault.example | Ensure that key vault enables purge protection | https://docs.bridgecrew.io/docs/ensure-that-key-vault-enables-purge-protection |\n| 154 | CKV_AZURE_112 | /azure/key_vault.tf | azurerm_key_vault_key.generated | Ensure that key vault key is backed by HSM | https://docs.bridgecrew.io/docs/ensure-that-key-vault-key-is-backed-by-hsm |\n| 155 | CKV_AZURE_40 | /azure/key_vault.tf | azurerm_key_vault_key.generated | Ensure that the expiration date is set on all keys | https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-keys |\n| 156 | CKV_AZURE_114 | /azure/key_vault.tf | azurerm_key_vault_secret.secret | Ensure that key vault secrets have \"content_type\" set | https://docs.bridgecrew.io/docs/ensure-that-key-vault-secrets-have-content_type-set |\n| 157 | CKV_AZURE_41 | /azure/key_vault.tf | azurerm_key_vault_secret.secret | Ensure that the expiration date is set on all secrets | https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets |\n| 158 | CKV_AZURE_38 | /azure/logging.tf | azurerm_monitor_log_profile.logging_profile | Ensure audit profile captures all the activities | https://docs.bridgecrew.io/docs/ensure-audit-profile-captures-all-activities |\n| 159 | CKV_AZURE_37 | /azure/logging.tf | azurerm_monitor_log_profile.logging_profile | Ensure that Activity Log Retention is set 365 days or greater | https://docs.bridgecrew.io/docs/set-activity-log-retention-to-365-days-or-greater |\n| 160 | CKV_AZURE_35 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure default network access rule for Storage Accounts is set to deny | https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny |\n| 161 | CKV_AZURE_33 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | https://docs.bridgecrew.io/docs/enable-requests-on-storage-logging-for-queue-service |\n| 162 | CKV_AZURE_44 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure Storage Account is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/bc_azr_storage_2 |\n| 163 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql1 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |\n| 164 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql1 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |\n| 165 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql2 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |\n| 166 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql2 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |\n| 167 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql3 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |\n| 168 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql3 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |\n| 169 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql4 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |\n| 170 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql4 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |\n| 171 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql5 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |\n| 172 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql5 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |\n| 173 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql6 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |\n| 174 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql6 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |\n| 175 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql7 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |\n| 176 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql7 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |\n| 177 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy1 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |\n| 178 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy1 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |\n| 179 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy2 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |\n| 180 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy2 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |\n| 181 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy3 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |\n| 182 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy3 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |\n| 183 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy4 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |\n| 184 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy4 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |\n| 185 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy5 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |\n| 186 | CKV_AZURE_26 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy5 | Ensure that 'Send Alerts To' is enabled for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_7 |\n| 187 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy5 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |\n| 188 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy6 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |\n| 189 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy6 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |\n| 190 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy7 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |\n| 191 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy7 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |\n| 192 | CKV_AZURE_10 | /azure/networking.tf | azurerm_network_security_group.bad_sg | Ensure that SSH access is restricted from the internet | https://docs.bridgecrew.io/docs/bc_azr_networking_3 |\n| 193 | CKV_AZURE_9 | /azure/networking.tf | azurerm_network_security_group.bad_sg | Ensure that RDP access is restricted from the internet | https://docs.bridgecrew.io/docs/bc_azr_networking_2 |\n| 194 | CKV_AZURE_12 | /azure/networking.tf | azurerm_network_watcher_flow_log.flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | https://docs.bridgecrew.io/docs/bc_azr_logging_1 |\n| 195 | CKV_AZURE_39 | /azure/roles.tf | azurerm_role_definition.example | Ensure that no custom subscription owner roles are created | https://docs.bridgecrew.io/docs/do-not-create-custom-subscription-owner-roles |\n| 196 | CKV_AZURE_19 | /azure/security_center.tf | azurerm_security_center_subscription_pricing.pricing | Ensure that standard pricing tier is selected | https://docs.bridgecrew.io/docs/ensure-standard-pricing-tier-is-selected |\n| 197 | CKV_AZURE_20 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that security contact 'Phone number' is set | https://docs.bridgecrew.io/docs/bc_azr_general_3 |\n| 198 | CKV_AZURE_22 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | https://docs.bridgecrew.io/docs/bc_azr_general_5 |\n| 199 | CKV_AZURE_21 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | https://docs.bridgecrew.io/docs/bc_azr_general_4 |\n| 200 | CKV_AZURE_25 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |\n| 201 | CKV_AZURE_26 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Send Alerts To' is enabled for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_7 |\n| 202 | CKV_AZURE_27 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |\n| 203 | CKV_AZURE_127 | /azure/sql.tf | azurerm_mysql_server.example | Ensure that My SQL server enables Threat detection policy | https://docs.bridgecrew.io/docs/ensure-that-my-sql-server-enables-threat-detection-policy |\n| 204 | CKV_AZURE_94 | /azure/sql.tf | azurerm_mysql_server.example | Ensure that My SQL server enables geo-redundant backups | https://docs.bridgecrew.io/docs/ensure-that-my-sql-server-enables-geo-redundant-backups |\n| 205 | CKV_AZURE_53 | /azure/sql.tf | azurerm_mysql_server.example | Ensure 'public network access enabled' is set to 'False' for mySQL servers | https://docs.bridgecrew.io/docs/ensure-public-network-access-enabled-is-set-to-false-for-mysql-servers |\n| 206 | CKV_AZURE_54 | /azure/sql.tf | azurerm_mysql_server.example | Ensure MySQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mysql-is-using-the-latest-version-of-tls-encryption |\n| 207 | CKV_AZURE_28 | /azure/sql.tf | azurerm_mysql_server.example | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | https://docs.bridgecrew.io/docs/bc_azr_networking_9 |\n| 208 | CKV_AZURE_147 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure PostgreSQL is using the latest version of TLS encryption | |\n| 209 | CKV_AZURE_130 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server enables infrastructure encryption | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-infrastructure-encryption |\n| 210 | CKV_AZURE_29 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | https://docs.bridgecrew.io/docs/bc_azr_networking_10 |\n| 211 | CKV_AZURE_128 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server enables Threat detection policy | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-threat-detection-policy |\n| 212 | CKV_AZURE_102 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server enables geo-redundant backups | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-geo-redundant-backups |\n| 213 | CKV_AZURE_68 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-disables-public-network-access |\n| 214 | CKV_AZURE_32 | /azure/sql.tf | azurerm_postgresql_configuration.thrtottling_config | Ensure server parameter 'connection_throttling' is set to 'ON' fo","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbridgecrewio%2Fterragoat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbridgecrewio%2Fterragoat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbridgecrewio%2Fterragoat/lists"}