Skip to content

feat(query): implements "Beta - Cloud Asset Inventory Disabled" - Terraform/gcp #7775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 22 commits into
base: master
Choose a base branch
from
Open

feat(query): implements "Beta - Cloud Asset Inventory Disabled" - Terraform/gcp #7775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
f7b4a81
initial implementation
cx-andre-pereira Oct 17, 2025
1e70b02
expected results
cx-andre-pereira Oct 17, 2025
9963a69
more precise 'contains' use and improved tests and logic
cx-andre-pereira Oct 17, 2025
d98e621
expected results fix
cx-andre-pereira Oct 17, 2025
ed2fdd2
changes to bring query inline with most other queries
cx-andre-pereira Oct 19, 2025
c27a48d
Merge branch 'master' into AST-116620_7_2-Logging_and_Monitoring_ensu…
cx-andre-pereira Oct 21, 2025
0e0a6f0
Merge branch 'master' into AST-116620_7_2-Logging_and_Monitoring_ensu…
cx-andre-pereira Oct 24, 2025
6533dea
Merge branch 'master' into AST-116620_7_2-Logging_and_Monitoring_ensu…
cx-andre-pereira Oct 26, 2025
6772ab8
Merge branch 'master' of https://github.com/Checkmarx/kics into AST-1…
cx-andre-pereira Oct 27, 2025
a58c0de
Merge branch 'AST-116620_7_2-Logging_and_Monitoring_ensure_cloud_asse…
cx-andre-pereira Oct 27, 2025
8c7b6d1
revamped logic for 1 valid resource per document
cx-andre-pereira Oct 27, 2025
c3d65de
work in progress
cx-andre-pereira Oct 27, 2025
a4bf12b
Merge branch 'master' into AST-116620_7_2-Logging_and_Monitoring_ensu…
cx-andre-pereira Oct 28, 2025
92dc5f4
Merge branch 'AST-116620_7_2-Logging_and_Monitoring_ensure_cloud_asse…
cx-andre-pereira Oct 28, 2025
62e5e6e
simId transition update
cx-andre-pereira Oct 28, 2025
25890d2
complete implementation
cx-andre-pereira Oct 30, 2025
04d01a9
Merge branch 'master' into AST-116620_7_2-Logging_and_Monitoring_ensu…
cx-andre-pereira Oct 30, 2025
468f46a
expected results fix
cx-andre-pereira Oct 30, 2025
2c68ffa
logic and test for 0 target resources
cx-andre-pereira Oct 30, 2025
181beac
fix attempt
cx-andre-pereira Oct 30, 2025
6bc0df7
logic rework and sample removed
cx-andre-pereira Oct 30, 2025
402c095
Merge branch 'master' into AST-116620_7_2-Logging_and_Monitoring_ensu…
cx-andre-pereira Oct 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"id": "4f60da73-190e-4048-8e1d-cc5a3974cd15",
"queryName": "Beta - Cloud Asset Inventory Disabled",
"severity": "MEDIUM",
"category": "Observability",
"descriptionText": "The 'google_project_service.service' field must include 'cloudasset.googleapis.com' to allow Cloud Asset Inventory",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_service#service-1",
"platform": "Terraform",
"descriptionID": "4f60da73",
"cloudProvider": "gcp",
"cwe": "778",
"riskScore": "3.0",
"experimental": "true"
}
51 changes: 51 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
package Cx

import data.generic.common as common_lib
import data.generic.terraform as tf_lib

CxPolicy[result] {
resources := [ res | res := {"value" : input.document[index].resource["google_project_service"][name], "doc_index" : index, "name" : name}]

not at_least_one_asset_inventory_enabled(resources)

result := {
"documentId": input.document[resources[x].doc_index].id,
"resourceType": "google_project_service",
"resourceName": tf_lib.get_resource_name(resources[x].value, resources[x].name),
"searchKey": sprintf("google_project_service[%s].service", [resources[x].name]),
"issueType": "IncorrectValue",
"keyExpectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'",
"keyActualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'",
"searchLine": common_lib.build_search_line(["resource", "google_project_service", resources[x].name, "service"], [])
}
}

at_least_one_asset_inventory_enabled(resources) {
service_includes_cloudasset(resources[y].value.service, resources[y].value, input.document[resources[y].doc_index])
}

service_includes_cloudasset(service, project, doc) {
service == "cloudasset.googleapis.com"
} else {
service == "${each.value}"
contains(project.for_each, "\"cloudasset.googleapis.com\"")
} else {
service == "${each.value}"
project.for_each[_] == "cloudasset.googleapis.com"
} else {
service == "${each.value}"
regex.match("local\\..+", project.for_each)

patterns := {"${local.": "" , "}": "" }
local_name := strings.replace_n(patterns, project.for_each) # extracts the variable name

contains_or_in_set(doc.locals[local_name])
}

contains_or_in_set(local_var) {
local_var == "cloudasset.googleapis.com"
} else {
local_var[_] == "cloudasset.googleapis.com"
} else {
contains(local_var, "\"cloudasset.googleapis.com\"")
}
3 changes: 3 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/negative1.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
resource "google_project_service" "negative_1" {
service = "cloudasset.googleapis.com"
}
8 changes: 8 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/negative2.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
resource "google_project_service" "negative_2" {
for_each = toset([
"compute.googleapis.com",
"cloudasset.googleapis.com",
"pubsub.googleapis.com",
])
service = each.value # using for_each on a "toset"
}
7 changes: 7 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/negative3.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
resource "google_project_service" "negative_3" {
for_each = {
compute = "compute.googleapis.com"
cloudasset = "cloudasset.googleapis.com"
}
service = each.value # using for_each on a set
}
8 changes: 8 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/negative4.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
locals {
api = "cloudasset.googleapis.com"
}

resource "google_project_service" "negative_4" {
for_each = local.api # using the "api" from "locals" variables
service = each.value
}
12 changes: 12 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/negative5.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
locals {
apis_toset = toset([
"compute.googleapis.com",
"cloudasset.googleapis.com",
"pubsub.googleapis.com",
])
}

resource "google_project_service" "negative_5" {
for_each = local.apis_toset # using apis_toset from "locals" variables
service = each.value
}
11 changes: 11 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/negative6.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
locals {
apis_set = {
compute = "compute.googleapis.com"
cloudasset = "cloudasset.googleapis.com"
}
}

resource "google_project_service" "negative_6" {
for_each = local.apis_set # using apis_set from "locals" variables
service = each.value
}
7 changes: 7 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive1.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
resource "google_project_service" "positive1_1" {
service = "not_cloudasset.googleapis.com"
}

resource "google_project_service" "positive1_2" {
service = "not_cloudasset.googleapis.com_2"
}
7 changes: 7 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive2.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
resource "google_project_service" "positive_2" {
for_each = toset([
"compute.googleapis.com",
"pubsub.googleapis.com",
])
service = each.value
}
7 changes: 7 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive3.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
resource "google_project_service" "positive_3" {
for_each = {
compute = "compute.googleapis.com"
pubsub = "pubsub.googleapis.com"
}
service = each.value
}
8 changes: 8 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive4.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
locals {
api = "not_cloudasset.googleapis.com"
}

resource "google_project_service" "positive_4" {
for_each = local.api
service = each.value
}
11 changes: 11 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive5.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
locals {
apis_toset = toset([
"compute.googleapis.com",
"pubsub.googleapis.com",
])
}

resource "google_project_service" "positive_5" {
for_each = local.apis_toset
service = each.value
}
11 changes: 11 additions & 0 deletions assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive6.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
locals {
apis_set = {
compute = "compute.googleapis.com"
pubsub = "pubsub.googleapis.com"
}
}

resource "google_project_service" "positive_6" {
for_each = local.apis_set
service = each.value
}
44 changes: 44 additions & 0 deletions ...s/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
[
{
"queryName": "Beta - Cloud Asset Inventory Disabled",
"severity": "MEDIUM",
"line": 2,
"filename": "positive1.tf"
},
{
"queryName": "Beta - Cloud Asset Inventory Disabled",
"severity": "MEDIUM",
"line": 6,
"filename": "positive1.tf"
},
{
"queryName": "Beta - Cloud Asset Inventory Disabled",
"severity": "MEDIUM",
"line": 6,
"filename": "positive2.tf"
},
{
"queryName": "Beta - Cloud Asset Inventory Disabled",
"severity": "MEDIUM",
"line": 6,
"filename": "positive3.tf"
},
{
"queryName": "Beta - Cloud Asset Inventory Disabled",
"severity": "MEDIUM",
"line": 7,
"filename": "positive4.tf"
},
{
"queryName": "Beta - Cloud Asset Inventory Disabled",
"severity": "MEDIUM",
"line": 10,
"filename": "positive5.tf"
},
{
"queryName": "Beta - Cloud Asset Inventory Disabled",
"severity": "MEDIUM",
"line": 10,
"filename": "positive6.tf"
}
]
4 changes: 4 additions & 0 deletions assets/similarityID_transition/terraform_gcp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,7 @@ similarityIDChangeList:
queryName: Beta - Google DNS Policy Logging Disabled
observations: ""
change: 2
- queryId: 4f60da73-190e-4048-8e1d-cc5a3974cd15
queryName: Beta - Cloud Asset Inventory Disabled
observations: ""
change: 2
Loading