Checkmarx · dependabot · Apr 14, 2023 · Apr 14, 2023 · Apr 17, 2023 · Apr 20, 2023
@@ -25,7 +25,7 @@ jobs:
             -c assets/libraries/common.json \
             -u https://registry.terraform.io/v1/modules
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
         with:
           title: "feat(queries): update terraform registry data on commons.json"
           token: ${{ secrets.KICS_BOT_PAT }}

@@ -52,7 +52,7 @@ jobs:
           docker run -v ${PWD}/assets/queries:/path \
             kics:${{ github.sha }} scan \
             --silent \
-            --disable-full-descriptions \
+            --disable-telemetry \
             --ignore-on-exit "results" \
             --log-level DEBUG \
             --log-path "/path/info.log" \

@@ -26,7 +26,7 @@ jobs:
         run: |
           docker run --rm -u $(id -u ${USER}):$(id -g ${USER}) -v $(pwd)/pkg/parser/jsonfilter:/work -it antlr4-generator:dev
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
         with:
           title: "chore(parser): updating AWS jsonfilter ANTLR generated parser"
           token: ${{ secrets.KICS_BOT_PAT }}

@@ -27,7 +27,7 @@ jobs:
           sed -E -i "s/(<p.*>)[0-9]{4}\.[0-9]{2}\.[0-9]{2}<p>/\1${{ steps.cdate.outputs.date }}<p>/" docs/index.md
           sed -E -i "s/(<a.*href=\"https:\/\/github.com\/Checkmarx\/kics\/releases\/download\/).*(\/kics_).*(_[a-z]+_.*>)/\1v${{ github.event.inputs.version }}\2${{ github.event.inputs.version }}\3/g" docs/index.md
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
         with:
           title: "docs: preparing for release ${{ github.event.inputs.version }}"
           token: ${{ secrets.KICS_BOT_PAT }}

@@ -182,7 +182,7 @@ jobs:
           pip install csvtomd
           csvtomd docs/docker/apispec.csv > docs/docker/apispec.md
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
         with:
           title: "docs(kicsbot): update images digest"
           token: ${{ secrets.KICS_BOT_PAT }}

@@ -120,7 +120,7 @@ jobs:
           pip install csvtomd
           csvtomd docs/docker/digests.csv > docs/docker/digests.md
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
         with:
           title: "docs(kicsbot): update images digest"
           token: ${{ secrets.KICS_BOT_PAT }}

@@ -64,7 +64,7 @@ jobs:
           pip install csvtomd
           csvtomd docs/docker/digests.csv > docs/docker/digests.md
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
         with:
           title: "docs(kicsbot): update images digest"
           token: ${{ secrets.KICS_BOT_PAT }}

@@ -219,7 +219,7 @@ jobs:
           pip install csvtomd
           csvtomd docs/docker/nightly.csv > docs/docker/nightly.md
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
         with:
           title: "docs(kicsbot): update images digest"
           token: ${{ secrets.KICS_BOT_PAT }}

@@ -31,7 +31,7 @@ jobs:
             -f md \
             -t .github/scripts/docs-generator/templates
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
         with:
           title: "docs(queries): update queries catalog"
           token: ${{ secrets.KICS_BOT_PAT }}

@@ -50,7 +50,7 @@ jobs:
       - name: Update install.sh
         run: ./.bin/godownloader --repo Checkmarx/kics <(echo ${{ steps.outputs.filter.goreleaser }}) > install.sh
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
         with:
           title: "chore(install): update install script"
           token: ${{ secrets.KICS_BOT_PAT }}

@@ -25,7 +25,7 @@ jobs:
              *.json
       - name: Create pull request
         if: steps.verify-changed-files.outputs.files_changed == 'true'
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
         with:
           title: "bump: updating software versions"
           token: ${{ secrets.KICS_BOT_PAT }}

@@ -198,14 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
-
-It is clarified that the Apache License 2.0 shall not apply to any content
-generated by KICS which is marked as being “Proprietary to CIS” (the “CIS 
-Proprietary Content”). The CIS Proprietary Content is exclusively owned by 
-the Center for Internet Security, Inc. and you are granted a limited, 
-non-exclusively,  non-transferable, non-sublicensable license to view the 
-CIS Proprietary Content in connection with your use of KICS. You may not, 
-and may not permit others to modify, create derivative works of, reproduce, 
-publish, distribute, transfer, publicly display, resell, rent, lease, 
-sublicense, loan, or lend the CIS Proprietary Content to any third party.
+   limitations under the License.
@@ -3,7 +3,7 @@
     "queryName": "Restart Policy On Failure Not Set To 5",
     "severity": "MEDIUM",
     "category": "Build Process",
-    "descriptionText": "Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.",
+    "descriptionText": "Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used.",
     "descriptionUrl": "https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy",
     "platform": "DockerCompose",
     "descriptionID": "d21fff2e"

@@ -1,24 +1,24 @@
-resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" {
-  name           = "CIS-AWSConfigChanges"
+resource "aws_cloudwatch_log_metric_filter" "AWS_Config_Change_Metric_Filter" {
+  name           = "AWSConfigChanges"
   pattern        = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
-  log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name
+  log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name
 
   metric_transformation {
-    name      = "CIS-AWSConfigChanges"
-    namespace = "CIS_Metric_Alarm_Namespace"
+    name      = "AWSConfigChanges"
+    namespace = "Metric_Alarm_Namespace"
     value     = "1"
   }
 }
-resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" {
-  alarm_name                = "CIS-3.9-AWSConfigChanges"
+resource "aws_cloudwatch_metric_alarm" "AWS_Config_Change_CW_Alarm" {
+  alarm_name                = "AWSConfigChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
   evaluation_periods        = "1"
-  metric_name               = aws_cloudwatch_log_metric_filter.CIS_AWS_Config_Change_Metric_Filter.id
-  namespace                 = "CIS_Metric_Alarm_Namespace"
+  metric_name               = aws_cloudwatch_log_metric_filter.AWS_Config_Change_Metric_Filter.id
+  namespace                 = "Metric_Alarm_Namespace"
   period                    = "300"
   statistic                 = "Sum"
   threshold                 = "1"
   alarm_description         = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account."
-  alarm_actions             = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
+  alarm_actions             = [aws_sns_topic.Alerts_SNS_Topic.arn]
   insufficient_data_actions = []
 }
@@ -1,24 +1,24 @@
-resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" {
-  name           = "CIS-AWSConfigChanges"
+resource "aws_cloudwatch_log_metric_filter" "AWS_Config_Change_Metric_Filter" {
+  name           = "AWSConfigChanges"
   pattern        = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
-  log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name
+  log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name
 
   metric_transformation {
-    name      = "CIS-AWSConfigChanges"
-    namespace = "CIS_Metric_Alarm_Namespace"
+    name      = "AWSConfigChanges"
+    namespace = "Metric_Alarm_Namespace"
     value     = "1"
   }
 }
-resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" {
-  alarm_name                = "CIS-3.9-AWSConfigChanges"
+resource "aws_cloudwatch_metric_alarm" "AWS_Config_Change_CW_Alarm" {
+  alarm_name                = "AWSConfigChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
   evaluation_periods        = "1"
   metric_name               = "XXXX NOT YOUR FILTER XXXX"
-  namespace                 = "CIS_Metric_Alarm_Namespace"
+  namespace                 = "Metric_Alarm_Namespace"
   period                    = "300"
   statistic                 = "Sum"
   threshold                 = "1"
   alarm_description         = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account."
-  alarm_actions             = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
+  alarm_actions             = [aws_sns_topic.Alerts_SNS_Topic.arn]
   insufficient_data_actions = []
 }
@@ -1,25 +1,25 @@
-resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" {
-  name           = "CIS-ConsoleSigninWithoutMFA"
+resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" {
+  name           = "ConsoleSigninWithoutMFA"
   pattern        = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
-  log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name
+  log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name
 
   metric_transformation {
-    name      = "CIS-ConsoleSigninWithoutMFA"
-    namespace = "CIS_Metric_Alarm_Namespace"
+    name      = "ConsoleSigninWithoutMFA"
+    namespace = "Metric_Alarm_Namespace"
     value     = "1"
   }
 }
 
-resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" {
-  alarm_name                = "CIS-3.2-ConsoleSigninWithoutMFA"
+resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" {
+  alarm_name                = "ConsoleSigninWithoutMFA"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
   evaluation_periods        = "1"
-  metric_name               = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id
-  namespace                 = "CIS_Metric_Alarm_Namespace"
+  metric_name               = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id
+  namespace                 = "Metric_Alarm_Namespace"
   period                    = "300"
   statistic                 = "Sum"
   threshold                 = "1"
   alarm_description         = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA."
-  alarm_actions             = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
+  alarm_actions             = [aws_sns_topic.Alerts_SNS_Topic.arn]
   insufficient_data_actions = []
 }
@@ -1,24 +1,24 @@
-resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" {
-  name           = "CIS-AWSConfigChanges"
+resource "aws_cloudwatch_log_metric_filter" "AWS_Config_Change_Metric_Filter" {
+  name           = "AWSConfigChanges"
   pattern        = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
-  log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name
+  log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name
 
   metric_transformation {
-    name      = "CIS-AWSConfigChanges"
-    namespace = "CIS_Metric_Alarm_Namespace"
+    name      = "AWSConfigChanges"
+    namespace = "Metric_Alarm_Namespace"
     value     = "1"
   }
 }
-resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" {
-  alarm_name                = "CIS-3.9-AWSConfigChanges"
+resource "aws_cloudwatch_metric_alarm" "AWS_Config_Change_CW_Alarm" {
+  alarm_name                = "AWSConfigChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
   evaluation_periods        = "1"
   metric_name               = "XXXX NOT YOUR FILTER XXXX"
-  namespace                 = "CIS_Metric_Alarm_Namespace"
+  namespace                 = "Metric_Alarm_Namespace"
   period                    = "300"
   statistic                 = "Sum"
   threshold                 = "1"
   alarm_description         = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account."
-  alarm_actions             = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
+  alarm_actions             = [aws_sns_topic.Alerts_SNS_Topic.arn]
   insufficient_data_actions = []
 }
@@ -1,24 +1,24 @@
-resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" {
-  name           = "CIS-AWSConfigChanges"
+resource "aws_cloudwatch_log_metric_filter" "AWS_Config_Change_Metric_Filter" {
+  name           = "AWSConfigChanges"
   pattern        = "{ ($.eventSource = \"config.amazonaws.com\") || (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
-  log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name
+  log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name
 
   metric_transformation {
-    name      = "CIS-AWSConfigChanges"
-    namespace = "CIS_Metric_Alarm_Namespace"
+    name      = "AWSConfigChanges"
+    namespace = "Metric_Alarm_Namespace"
     value     = "1"
   }
 }
-resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" {
-  alarm_name                = "CIS-3.9-AWSConfigChanges"
+resource "aws_cloudwatch_metric_alarm" "AWS_Config_Change_CW_Alarm" {
+  alarm_name                = "AWSConfigChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
   evaluation_periods        = "1"
   metric_name               = "XXXX NOT YOUR FILTER XXXX"
-  namespace                 = "CIS_Metric_Alarm_Namespace"
+  namespace                 = "Metric_Alarm_Namespace"
   period                    = "300"
   statistic                 = "Sum"
   threshold                 = "1"
   alarm_description         = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account."
-  alarm_actions             = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
+  alarm_actions             = [aws_sns_topic.Alerts_SNS_Topic.arn]
   insufficient_data_actions = []
 }
@@ -2,35 +2,35 @@ provider "aws" {
   region = "us-east-2"
 }
 
-resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" {
-  name = "CIS_CloudWatch_LogsGroup"
+resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" {
+  name = "CloudWatch_LogsGroup"
 }
 
-resource "aws_sns_topic" "cis_alerts_sns_topic" {
-  name = "cis-alerts-sns-topic"
+resource "aws_sns_topic" "alerts_sns_topic" {
+  name = "alerts-sns-topic"
 }
 
-resource "aws_cloudwatch_metric_alarm" "cis_aws_organizations" {
-  alarm_name                = "CIS-4.15-AWS-Organizations"
+resource "aws_cloudwatch_metric_alarm" "aws_organizations" {
+  alarm_name                = "AWS-Organizations"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
   evaluation_periods        = "1"
-  metric_name               = aws_cloudwatch_log_metric_filter.cis_aws_organizations.id
-  namespace                 = "CIS_Metric_Alarm_Namespace"
+  metric_name               = aws_cloudwatch_log_metric_filter.aws_organizations.id
+  namespace                 = "Metric_Alarm_Namespace"
   period                    = "300"
   statistic                 = "Sum"
   threshold                 = "1"
-  alarm_actions             = [aws_sns_topic.cis_alerts_sns_topic.arn]
+  alarm_actions             = [aws_sns_topic.alerts_sns_topic.arn]
   insufficient_data_actions = []
 }
 
-resource "aws_cloudwatch_log_metric_filter" "cis_aws_organizations" {
-  name           = "CIS-4.15-AWS-Organizations"
+resource "aws_cloudwatch_log_metric_filter" "aws_organizations" {
+  name           = "AWS-Organizations"
   pattern        = "{ ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) }"
-  log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name
+  log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name
 
   metric_transformation {
-    name      = "CIS-4.15-AWS-Organizations"
-    namespace = "CIS_Metric_Alarm_Namespace"
+    name      = "AWS-Organizations"
+    namespace = "Metric_Alarm_Namespace"
     value     = "1"
   }
 }