From e24a63c7a73be2982de8bb7d8059cf0d5809812f Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Sun, 19 Oct 2025 14:50:34 +0100 Subject: [PATCH 01/12] initial_implementation --- .../metadata.json | 14 ++++ .../query.rego | 84 +++++++++++++++++++ .../test/negative.tf | 23 +++++ .../test/positive.tf | 39 +++++++++ .../test/positive_expected_result.json | 22 +++++ 5 files changed, 182 insertions(+) create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json new file mode 100644 index 00000000000..d4d48c49630 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json @@ -0,0 +1,14 @@ +{ + "id": "b5b70198-2a34-4792-b0d9-ce99abe485bb", + "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "All 'google_sql_database_instance' resource based on MYSQL should enable the 'skip_show_database' to prevent unwanted exposure", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1", + "platform": "Terraform", + "descriptionID": "b5b70198", + "cloudProvider": "gcp", + "cwe": "732", + "riskScore": "3.0", + "experimental": "true" +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego new file mode 100644 index 00000000000..21715b9f208 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego @@ -0,0 +1,84 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.google_sql_database_instance[name] + + contains(resource.database_version, "MYSQL") + results := get_results(resource, name) + + result := { + "documentId": input.document[i].id, + "resourceType": "google_sql_database_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": results.searchKey, + "issueType": results.issueType, + "keyExpectedValue": results.keyExpectedValue, + "keyActualValue": results.keyActualValue, + "searchLine": results.searchLine, + "remediation": results.remediation, + "remediationType": results.remediationType + } +} + +get_results(resource, name) = results { + not common_lib.valid_key(resource, "settings") + + results := { + "searchKey": sprintf("google_sql_database_instance[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []), + "remediation": null, + "remediationType": null + } +} else = results { + not common_lib.valid_key(resource.settings, "database_flags") + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []), + "remediation": null, + "remediationType": null + } + +} else = results { + not has_flag(resource.settings.database_flags) + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'skip_show_database'", [name]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []), + "remediation": "database_flags {name = \"skip_show_database\", value = \"on\"}", + "remediationType": "addition" + } + +} else = results { + resource.settings.database_flags[x].name == "skip_show_database" + resource.settings.database_flags[x].value != "on" + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%s]", [name, x]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'skip_show_database' to '%s'", [name, resource.settings.database_flags[x].value]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x], []), + "remediation": json.marshal({ + "before": sprintf("%s",[resource.settings.database_flags[x].value]), + "after": "on" + }), + "remediationType": "replacement" + } +} + +has_flag(database_flags) { + database_flags[_].name == "skip_show_database" +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf new file mode 100644 index 00000000000..2b33b808fbb --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf @@ -0,0 +1,23 @@ +resource "google_sql_database_instance" "negative_1" { + name = "main-instance" + database_version = "POSTGRES_15" # Is not a MYSQL instance + region = "us-central1" + + settings { + tier = "db-f1-micro" + } +} + +resource "google_sql_database_instance" "negative_2" { + name = "mysql-instance-with-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags = [ + { name = "skip_show_database", value = "on" }, # Has flag set to "on" + ] + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf new file mode 100644 index 00000000000..09dc97fa3eb --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf @@ -0,0 +1,39 @@ +resource "google_sql_database_instance" "positive_1" { + name = "mysql-instance-without-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + # Missing 'settings' field +} + +resource "google_sql_database_instance" "positive_2" { + name = "mysql-instance-without-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings {} # Missing 'database_flags' field +} + +resource "google_sql_database_instance" "positive_3" { + name = "mysql-instance-without-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings { + database_flags = [ + # Missing 'skip_show_database' flag + ] + } +} + +resource "google_sql_database_instance" "positive_4" { + name = "mysql-instance-with-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings { + database_flags = [ + { name = "skip_show_database", value = "off" } # Flag is not set to "on" + ] + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json new file mode 100644 index 00000000000..7a9c77de7fd --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json @@ -0,0 +1,22 @@ +[ + { + "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", + "severity": "MEDIUM", + "line": 1 + }, + { + "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", + "severity": "MEDIUM", + "line": 14 + }, + { + "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", + "severity": "MEDIUM", + "line": 23 + }, + { + "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", + "severity": "MEDIUM", + "line": 37 + } +] From 3a499df6296f3e7b60f0977a0f7a5d44819663f1 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Sun, 19 Oct 2025 16:36:22 +0100 Subject: [PATCH 02/12] fix remediations --- .../query.rego | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego index 21715b9f208..9d56e9200af 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego @@ -32,8 +32,9 @@ get_results(resource, name) = results { "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []), - "remediation": null, - "remediationType": null + "remediation": "settings { database_flags = [{ name = \"skip_show_database\", value = \"on\" }] }", + "remediationType": "addition" + } } else = results { not common_lib.valid_key(resource.settings, "database_flags") @@ -44,8 +45,8 @@ get_results(resource, name) = results { "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []), - "remediation": null, - "remediationType": null + "remediation": "database_flags = [{ name = \"skip_show_database\", value = \"on\" }]", + "remediationType": "addition" } } else = results { @@ -57,7 +58,7 @@ get_results(resource, name) = results { "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'skip_show_database'", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []), - "remediation": "database_flags {name = \"skip_show_database\", value = \"on\"}", + "remediation": "{name = \"skip_show_database\", value = \"on\"}", "remediationType": "addition" } From 3c6cfbe224934b3c75da3abc38188e55daaaa32b Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Sun, 19 Oct 2025 16:58:38 +0100 Subject: [PATCH 03/12] removed remediations --- .../query.rego | 23 ++++--------------- 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego index 9d56e9200af..c437f62e86d 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego @@ -17,9 +17,7 @@ CxPolicy[result] { "issueType": results.issueType, "keyExpectedValue": results.keyExpectedValue, "keyActualValue": results.keyActualValue, - "searchLine": results.searchLine, - "remediation": results.remediation, - "remediationType": results.remediationType + "searchLine": results.searchLine } } @@ -31,9 +29,7 @@ get_results(resource, name) = results { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []), - "remediation": "settings { database_flags = [{ name = \"skip_show_database\", value = \"on\" }] }", - "remediationType": "addition" + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []) } } else = results { @@ -44,9 +40,7 @@ get_results(resource, name) = results { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []), - "remediation": "database_flags = [{ name = \"skip_show_database\", value = \"on\" }]", - "remediationType": "addition" + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []) } } else = results { @@ -57,9 +51,7 @@ get_results(resource, name) = results { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'skip_show_database'", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []), - "remediation": "{name = \"skip_show_database\", value = \"on\"}", - "remediationType": "addition" + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) } } else = results { @@ -71,12 +63,7 @@ get_results(resource, name) = results { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'skip_show_database' to '%s'", [name, resource.settings.database_flags[x].value]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x], []), - "remediation": json.marshal({ - "before": sprintf("%s",[resource.settings.database_flags[x].value]), - "after": "on" - }), - "remediationType": "replacement" + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x], []) } } From d9f50184ab32c2eca77484794efa96a29a5c2552 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 20 Oct 2025 12:07:41 +0100 Subject: [PATCH 04/12] mini fix --- .../sql_db_instance_with_exposed_show_privileges/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json index d4d48c49630..17219828dc0 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json @@ -3,7 +3,7 @@ "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "All 'google_sql_database_instance' resource based on MYSQL should enable the 'skip_show_database' to prevent unwanted exposure", + "descriptionText": "All 'google_sql_database_instance' resources based on MYSQL should enable the 'skip_show_database' flag to prevent unwanted exposure", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1", "platform": "Terraform", "descriptionID": "b5b70198", From 7216fca989763f8aa7d9b826ed97f1b2ca39254d Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 20 Oct 2025 12:15:51 +0100 Subject: [PATCH 05/12] small value improvement --- .../query.rego | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego index c437f62e86d..7bdae46dc7b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego @@ -27,7 +27,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' be defined and set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []) @@ -38,7 +38,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' be defined and set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []) } @@ -49,7 +49,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' be defined and set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'skip_show_database'", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) } @@ -61,7 +61,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%s]", [name, x]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'skip_show_database' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' be defined and set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'skip_show_database' to '%s'", [name, resource.settings.database_flags[x].value]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x], []) } From ec2ea4403464cf0541506a3c9ec30d83c9f45a54 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 20 Oct 2025 17:33:26 +0100 Subject: [PATCH 06/12] fix searchLines --- .../query.rego | 4 ++-- .../test/positive.tf | 7 ++++++- .../test/positive_expected_result.json | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego index 7bdae46dc7b..ef94de1b292 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego @@ -59,11 +59,11 @@ get_results(resource, name) = results { resource.settings.database_flags[x].value != "on" results := { - "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%s]", [name, x]), + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' be defined and set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'skip_show_database' to '%s'", [name, resource.settings.database_flags[x].value]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x], []) + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf index 09dc97fa3eb..0757acdb330 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf @@ -33,7 +33,12 @@ resource "google_sql_database_instance" "positive_4" { settings { database_flags = [ - { name = "skip_show_database", value = "off" } # Flag is not set to "on" + { name = "skip_show_database1", value = "off" }, # Flag is not set to "on" + { name = "skip_show_database2", value = "off" }, # Flag is not set to "on" + { name = "skip_show_database3", value = "off" }, # Flag is not set to "on" + { name = "skip_show_database", value = "off" }, # Flag is not set to "on" + { name = "skip_show_database4", value = "off" }, # Flag is not set to "on" + { name = "skip_show_database5", value = "off" } # Flag is not set to "on" ] } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json index 7a9c77de7fd..a4a1aad971d 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json @@ -17,6 +17,6 @@ { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 37 + "line": 39 } ] From f2117b1d8735b6ae9f5a2efe3a3f1bfd860a582d Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 20 Oct 2025 17:46:58 +0100 Subject: [PATCH 07/12] minor improvements --- .../query.rego | 8 ++++---- .../test/positive.tf | 7 ++----- .../test/positive_expected_result.json | 2 +- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego index ef94de1b292..e370c2f30db 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego @@ -27,7 +27,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' be defined and set 'skip_show_database' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []) @@ -38,7 +38,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' be defined and set 'skip_show_database' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []) } @@ -49,7 +49,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' be defined and set 'skip_show_database' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'skip_show_database'", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) } @@ -61,7 +61,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' be defined and set 'skip_show_database' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'skip_show_database' to '%s'", [name, resource.settings.database_flags[x].value]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf index 0757acdb330..c33de99356e 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf @@ -33,12 +33,9 @@ resource "google_sql_database_instance" "positive_4" { settings { database_flags = [ - { name = "skip_show_database1", value = "off" }, # Flag is not set to "on" - { name = "skip_show_database2", value = "off" }, # Flag is not set to "on" - { name = "skip_show_database3", value = "off" }, # Flag is not set to "on" + { name = "sample_flag1", value = "off" }, { name = "skip_show_database", value = "off" }, # Flag is not set to "on" - { name = "skip_show_database4", value = "off" }, # Flag is not set to "on" - { name = "skip_show_database5", value = "off" } # Flag is not set to "on" + { name = "sample_flag2", value = "off" } ] } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json index a4a1aad971d..7a9c77de7fd 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json @@ -17,6 +17,6 @@ { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 39 + "line": 37 } ] From 2f0d7487677d176529668f93d42ecbc64c51c5bc Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 21 Oct 2025 17:07:03 +0100 Subject: [PATCH 08/12] added support for single resources --- .../query.rego | 17 +++++++++++++++-- .../test/negative.tf | 16 ++++++++++++++++ .../test/positive.tf | 13 +++++++++++++ .../test/positive_expected_result.json | 5 +++++ 4 files changed, 49 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego index e370c2f30db..77438cf1be9 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/query.rego @@ -54,8 +54,8 @@ get_results(resource, name) = results { "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) } -} else = results { - resource.settings.database_flags[x].name == "skip_show_database" +} else = results { # array + resource.settings.database_flags[x].name == "skip_show_database" resource.settings.database_flags[x].value != "on" results := { @@ -65,8 +65,21 @@ get_results(resource, name) = results { "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'skip_show_database' to '%s'", [name, resource.settings.database_flags[x].value]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) } +} else = results { # single object + resource.settings.database_flags.name == "skip_show_database" + resource.settings.database_flags.value != "on" + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags.name", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'skip_show_database' to '%s'", [name, resource.settings.database_flags.value]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], []) + } } has_flag(database_flags) { database_flags[_].name == "skip_show_database" +} else { + database_flags.name == "skip_show_database" } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf index 2b33b808fbb..6b6923a25f0 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf @@ -17,7 +17,23 @@ resource "google_sql_database_instance" "negative_2" { tier = "db-f1-micro" database_flags = [ + { name = "sample_flag1", value = "off" }, { name = "skip_show_database", value = "on" }, # Has flag set to "on" ] } } + +resource "google_sql_database_instance" "negative_3" { # Single object support test + name = "mysql-instance-with-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags { + name = "skip_show_database" + value = "on" + } # Has flag set to "on" + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf index c33de99356e..d703d34bf4f 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf @@ -39,3 +39,16 @@ resource "google_sql_database_instance" "positive_4" { ] } } + +resource "google_sql_database_instance" "positive_5" { # Single object support test + name = "mysql-instance-with-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings { + database_flags{ + name = "skip_show_database" + value = "off" + } # Flag is not set to "on" + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json index 7a9c77de7fd..a6bdb3f6769 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json @@ -18,5 +18,10 @@ "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", "line": 37 + }, + { + "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", + "severity": "MEDIUM", + "line": 50 } ] From f007a5ed3f367d3584d510a1b68da8dfd9903566 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 27 Oct 2025 16:38:58 +0000 Subject: [PATCH 09/12] fixed tests --- .../test/negative.tf | 18 ++++++++++--- .../test/positive.tf | 26 +++++++++++++------ .../test/positive_expected_result.json | 4 +-- 3 files changed, 34 insertions(+), 14 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf index 6b6923a25f0..badbd56ce65 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf @@ -16,10 +16,20 @@ resource "google_sql_database_instance" "negative_2" { settings { tier = "db-f1-micro" - database_flags = [ - { name = "sample_flag1", value = "off" }, - { name = "skip_show_database", value = "on" }, # Has flag set to "on" - ] + database_flags { + name = "sample_flag1" + value = "off" + } + + database_flags { + name = "skip_show_database" # Has flag set to "on" + value = "on" + } + + database_flags { + name = "sample_flag1" + value = "off" + } } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf index d703d34bf4f..42c97e1a153 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf @@ -20,9 +20,10 @@ resource "google_sql_database_instance" "positive_3" { region = "us-central1" settings { - database_flags = [ - # Missing 'skip_show_database' flag - ] + database_flags { + name = "sample_flag1" + value = "off" + } # Missing 'skip_show_database' flag } } @@ -32,11 +33,20 @@ resource "google_sql_database_instance" "positive_4" { region = "us-central1" settings { - database_flags = [ - { name = "sample_flag1", value = "off" }, - { name = "skip_show_database", value = "off" }, # Flag is not set to "on" - { name = "sample_flag2", value = "off" } - ] + database_flags { + name = "sample_flag1" + value = "off" + } + + database_flags { + name = "skip_show_database" # Flag is not set to "on" + value = "off" + } + + database_flags { + name = "sample_flag1" + value = "off" + } } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json index a6bdb3f6769..e6bd2e4af21 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json @@ -17,11 +17,11 @@ { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 37 + "line": 42 }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 50 + "line": 60 } ] From 438a1d67d2fb7787408e986ca08fe66d6c69af62 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 28 Oct 2025 10:41:48 +0000 Subject: [PATCH 10/12] minor test fix --- .../test/negative.tf | 2 +- .../test/positive.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf index badbd56ce65..8212a37cf5a 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/negative.tf @@ -27,7 +27,7 @@ resource "google_sql_database_instance" "negative_2" { } database_flags { - name = "sample_flag1" + name = "sample_flag2" value = "off" } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf index 42c97e1a153..bd76c945fc9 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive.tf @@ -44,7 +44,7 @@ resource "google_sql_database_instance" "positive_4" { } database_flags { - name = "sample_flag1" + name = "sample_flag2" value = "off" } } From a04c41f887bd3b49dbb38275adbd847f1eb274f6 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 28 Oct 2025 13:49:17 +0000 Subject: [PATCH 11/12] simId transition update --- assets/similarityID_transition/terraform_gcp.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/assets/similarityID_transition/terraform_gcp.yaml b/assets/similarityID_transition/terraform_gcp.yaml index c3eeee7d298..89ca54e2221 100644 --- a/assets/similarityID_transition/terraform_gcp.yaml +++ b/assets/similarityID_transition/terraform_gcp.yaml @@ -3,3 +3,7 @@ similarityIDChangeList: queryName: Beta - Google DNS Policy Logging Disabled observations: "" change: 2 + - queryId: b5b70198-2a34-4792-b0d9-ce99abe485bb + queryName: Beta - SQL DB Instance With Exposed Show Privileges + observations: "" + change: 2 From befd64dba1373734a68251c6b9b295d080ff4460 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 28 Oct 2025 14:19:22 +0000 Subject: [PATCH 12/12] metadata update --- .../sql_db_instance_with_exposed_show_privileges/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json index 17219828dc0..d7abadbc237 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/metadata.json @@ -2,7 +2,7 @@ "id": "b5b70198-2a34-4792-b0d9-ce99abe485bb", "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "category": "Insecure Configurations", + "category": "Insecure Defaults", "descriptionText": "All 'google_sql_database_instance' resources based on MYSQL should enable the 'skip_show_database' flag to prevent unwanted exposure", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1", "platform": "Terraform",