| Checkov Check ID | Check Description (CKV_ checks are python, CKV2_ checks are graph/yaml) |
|---|---|
| CKV_AZURE_55 | Ensure that Azure Defender is set to On for Servers |
| CKV_AZURE_61 | Ensure that Azure Defender is set to On for App Service |
| CKV_AZURE_69 | Ensure that Azure Defender is set to On for Azure SQL database servers |
| CKV_AZURE_79 | Ensure that Azure Defender is set to On for SQL servers on machines |
| CKV_AZURE_84 | Ensure that Azure Defender is set to On for Storage |
| CKV_AZURE_85 | Ensure that Azure Defender is set to On for Kubernetes |
| CKV_AZURE_86 | Ensure that Azure Defender is set to On for Container Registries |
| CKV_AZURE_87 | Ensure that Azure Defender is set to On for Key Vault |
| CKV_AZURE_58 | Ensure that 'Security contact emails' is set |
| CKV_AZURE_77 | Ensure that UDP Services are restricted from the Internet |
| CKV_AZURE_78 | Ensure FTP deployments are disabled |
| CKV_K8S_100 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
| CKV_AZURE_80 | Ensure that 'Net Framework' version is the latest, if used as a part of the web app |
| CKV_AZURE_81 | Ensure that 'PHP version' is the latest, if used to run the web app |
| CKV_AZURE_82 | Ensure that 'Python version' is the latest, if used to run the web app |
| CKV_AZURE_83 | Ensure that 'Java version' is the latest, if used to run the web app |
| CKV_K8S_101 | Ensure that the --client-ca-file argument is set as appropriate (Scored) |
| CKV_K8S_102 | Ensure that the --etcd-cafile argument is set as appropriate |
| CKV_K8S_104 | Ensure that encryption providers are appropriately configured |
| CKV_K8S_105 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers |
| CKV_K8S_106 | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate |
| CKV_K8S_107 | Ensure that the --profiling argument is set to false |
| CKV_K8S_108 | Ensure that the --use-service-account-credentials argument is set to true |
| CKV_AZURE_100 | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest |
| CKV_AZURE_101 | Ensure that Azure Cosmos DB disables public network access |
| CKV_AZURE_102 | Ensure that PostgreSQL server enables geo-redundant backups |
| CKV_AZURE_103 | Ensure that Azure Data Factory uses Git repository for source control |
| CKV_AZURE_104 | Ensure that Azure Data factory public network access is disabled |
| CKV_AZURE_105 | Ensure that Data Lake Store accounts enables encryption |
| CKV_AZURE_106 | Ensure that Azure Event Grid Domain public network access is disabled |
| CKV_AZURE_107 | Ensure that API management services uses virtual networks |
| CKV_AZURE_108 | Ensure that Azure IoT Hub disables public network access |
| CKV_AZURE_109 | Ensure that key vault allows firewall rules settings |
| CKV_AZURE_110 | Ensure that key vault enables purge protection |
| CKV_AZURE_111 | Ensure that key vault enables soft delete |
| CKV_AZURE_112 | Ensure that key vault key is backed by HSM |
| CKV_AZURE_113 | Ensure that key vault key use cryptographic type of ESA or EC |
| CKV_AZURE_114 | Ensure that key vault secrets have "content_type" set |
| CKV_AZURE_115 | Ensure that AKS enables private clusters |
| CKV_AZURE_116 | Ensure that AKS uses Azure Policies Add-on |
| CKV_AZURE_117 | Ensure that AKS uses disk encryption set |
| CKV_AZURE_118 | Ensure that Network Interfaces disable IP forwarding |
| CKV_AZURE_119 | Ensure that Network Interfaces don't use public IPs |
| CKV_AZURE_120 | Ensure that Application Gateway enables WAF |
| CKV_AZURE_121 | Ensure that Azure Front Door enables WAF |
| CKV_AZURE_122 | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes |
| CKV_AZURE_123 | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes |
| CKV_AZURE_124 | Ensure that Azure Cognitive Search disables public network access |
| CKV_AZURE_125 | Ensures that Service Fabric use three levels of protection available |
| CKV_AZURE_126 | Ensures that Active Directory is used for authentication for Service Fabric |
| CKV_AZURE_127 | Ensure that My SQL server enables Threat detection policy |
| CKV_AZURE_128 | Ensure that PostgreSQL server enables Threat detection policy |
| CKV_AZURE_129 | Ensure that MariaDB server enables geo-redundant backups |
| CKV_K8S_110 | Ensure that the --service-account-private-key-file argument is set as appropriate |
| CKV_K8S_111 | Ensure that the --root-ca-file argument is set as appropriate |
| CKV_K8S_112 | Ensure that the RotateKubeletServerCertificate argument is set to true |
| CKV_K8S_113 | Ensure that the --bind-address argument is set to 127.0.0.1 |
| CKV_K8S_114 | Ensure that the --profiling argument is set to false |
| CKV_K8S_115 | Ensure that the --bind-address argument is set to 127.0.0.1 |
| CKV_K8S_116 | Ensure that the --cert-file and --key-file arguments are set as appropriate |
| CKV_K8S_117 | Ensure that the --client-cert-auth argument is set to true |
| CKV_K8S_118 | Ensure that the --auto-tls argument is not set to true |
| CKV_K8S_119 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate |
| CKV_K8S_121 | Ensure that the --peer-client-cert-auth argument is set to true |
| CKV_K8S_122 | Ensure that the --peer-auto-tls argument is not set to true |
| CKV_K8S_138 | Ensure that the --anonymous-auth argument is set to false |
| CKV_K8S_139 | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| CKV_K8S_140 | Ensure that the --client-ca-file argument is set as appropriate |
| CKV_K8S_141 | Ensure that the --read-only-port argument is set to 0 |
| CKV_K8S_143 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 |
| CKV_K8S_144 | Ensure that the --protect-kernel-defaults argument is set to true |
| CKV_K8S_145 | Ensure that the --make-iptables-util-chains argument is set to true |
| CKV_K8S_146 | Ensure that the --hostname-override argument is not set |
| CKV_K8S_147 | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture |
| CKV_K8S_148 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
| CKV_K8S_149 | Ensure that the --rotate-certificates argument is not set to false |
| CKV_K8S_150 | Ensure that the RotateKubeletServerCertificate argument is set to true |
| CKV_K8S_151 | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers |
| CKV_K8S_68 | Ensure that the --anonymous-auth argument is set to false |
| CKV_K8S_69 | Ensure that the --basic-auth-file argument is not set |
| CKV_K8S_70 | Ensure that the --token-auth-file parameter is not set |
| CKV_K8S_71 | Ensure that the --kubelet-https argument is set to true |
| CKV_K8S_72 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate |
| CKV_K8S_73 | Ensure that the --kubelet-certificate-authority argument is set as appropriate |
| CKV_K8S_74 | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| CKV_K8S_75 | Ensure that the --authorization-mode argument includes Node |
| CKV_K8S_77 | Ensure that the --authorization-mode argument includes RBAC |
| CKV_K8S_78 | Ensure that the admission control plugin EventRateLimit is set |
| CKV_K8S_79 | Ensure that the admission control plugin AlwaysAdmit is not set |
| CKV_K8S_80 | Ensure that the admission control plugin AlwaysPullImages is set |
| CKV_K8S_81 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used |
| CKV_K8S_82 | Ensure that the admission control plugin ServiceAccount is set |
| CKV_K8S_83 | Ensure that the admission control plugin NamespaceLifecycle is set |
| CKV_K8S_84 | Ensure that the admission control plugin PodSecurityPolicy is set |
| CKV_K8S_85 | Ensure that the admission control plugin NodeRestriction is set |
| CKV_K8S_86 | Ensure that the --insecure-bind-address argument is not set |
| CKV_K8S_88 | Ensure that the --insecure-port argument is set to 0 |
| CKV_K8S_89 | Ensure that the --secure-port argument is not set to 0 |
| CKV_K8S_90 | Ensure that the --profiling argument is set to false |
| CKV_K8S_91 | Ensure that the --audit-log-path argument is set |
| CKV_K8S_92 | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate |
| CKV_K8S_93 | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate |
| CKV_K8S_94 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate |
| CKV_K8S_95 | Ensure that the --request-timeout argument is set as appropriate |
| CKV_K8S_96 | Ensure that the --service-account-lookup argument is set to true |
| CKV_K8S_97 | Ensure that the --service-account-key-file argument is set as appropriate |
| CKV_AZURE_59 | Ensure Storage logging is enabled for Blob service for read requests |
| CKV_AZURE_60 | Ensure Storage logging is enabled for Table service for read requests |
| CKV2_AZURE_1 | Ensure storage for critical data are encrypted with Customer Managed Key |
| CKV2_AZURE_2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
| CKV2_AZURE_3 | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
| CKV2_AZURE_4 | Ensure that VA setting Send scan reports to is configured for a SQL server |
| CKV2_AZURE_5 | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server |
| CKV2_AZURE_7 | Ensure that Azure Active Directory Admin is configured |
| CKV2_AZURE_8 | Ensure the storage container storing the activity logs is not publicly accessible |
| CKV2_AZURE_9 | Ensure Virtual Machines are utilizing Managed Disks |
| CKV2_GCP_6 | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
| CKV2_GCP_8 | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
| CKV2_GCP_9 | Ensure that retention policies on log buckets are configured using Bucket Lock |
| CKV2_GCP_10 | Ensure legacy networks do not exist for a project |
| CKV_GCP_68 | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges |
| CKV_AZURE_130 | Ensure that PostgreSQL server enables infrastructure encryption |
| CKV_AZURE_131 | Ensure that SQL server disables public network access |
| CKV_AZURE_133 | Ensure that PostgreSQL server disables public network access |
| CKV_AZURE_134 | Ensure that Azure File Sync disables public network access |
| CKV_AZURE_135 | Ensure that storage account enables secure transfer |
| CKV_K8S_99 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate |
| CKV_AZURE_136 | Ensure that Storage accounts disallow public access |
| CKV_AZURE_137 | Ensure that Azure Synapse workspaces enables managed virtual networks |
| CKV_AZURE_56 | Ensure that function apps enables Authentication |
| CKV_AZURE_57 | Ensure that CORS disallows every resource to access app services |
| CKV_AZURE_62 | Ensure that CORS disallows every resource to access function apps |
| CKV_AZURE_63 | Ensure that App service enables HTTP logging |
| CKV_AZURE_65 | TBDEnsure that App service enables detailed error messages |
| CKV_AZURE_66 | Ensure that App service enables failed request tracing |
| CKV_AZURE_67 | Ensure that 'HTTP Version' is the latest if used to run the function app |
| CKV_AZURE_70 | Ensure that Function apps is only accessible over HTTPS |
| CKV_AZURE_71 | Ensure that Managed identity provider is enabled for app services |
| CKV_AZURE_72 | Ensure that remote debugging is not enabled for app services |
| CKV_AZURE_73 | Ensure that Automation account variables are encrypted |
| CKV_AZURE_74 | Ensure that Azure Data Explorer uses disk encryption |
| CKV_AZURE_75 | Ensure that Azure Data Explorer uses double encryption |
| CKV_AZURE_76 | Ensure that Azure Batch account uses key vault to encrypt data |
| CKV_AZURE_88 | Ensure that app services use Azure Files |
| CKV_AZURE_89 | Ensure that Azure Cache for Redis disables public network access |
| CKV_AZURE_91 | Ensure that only SSL are enabled for Cache for Redis |
| CKV_AZURE_92 | Ensure that Virtual Machines use managed disks |
| CKV_AZURE_93 | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption |
| CKV_AZURE_94 | Ensure that My SQL server enables geo-redundant backups |
| CKV_AZURE_95 | Ensure that automatic OS image patching is enbaled for Virtual Machine Scale Sets |
| CKV_AZURE_96 | Ensure that PostgreSQL server enables infrastructure encryption |
| CKV_AZURE_97 | Ensure that Virtual machine scale sets have encryption at host enabled |
| CKV_AZURE_98 | Ensure that Azure Container Container group is deployed into virtual network |
| CKV_AZURE_99 | Ensure Cosmos DB accounts have restricted access |
| CKV2_AZURE_10 | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines |
| CKV2_AZURE_11 | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key |
| CKV2_AZURE_12 | Ensure that virtual machines are backed up using Azure Backup |
| CKV2_AZURE_13 | Ensure that sql servers enables data security policy |
| CKV2_AZURE_14 | Ensure that Unattached disks are encrypted |
| CKV2_AZURE_15 | Ensure that Azure data factories are encrypted with a customer-managed key |
| CKV2_AZURE_16 | Ensure that MySQL server enables customer-managed key for encryption |
| CKV2_AZURE_17 | Ensure that PostgreSQL server enables customer-managed key for encryption |
| CKV2_AZURE_18 | Ensure that Storage Accounts use customer-managed key for encryption |
| CKV2_AZURE_19 | Ensure that Azure Synapse workspaces have no IP firewall rules attached |
Created
March 29, 2021 14:07
-
-
Save metahertz/0d4e6d3c747436fcda3e8781e8c4e99f to your computer and use it in GitHub Desktop.
Checkov V2 New Checks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment