aquasecurity · simar7 · Oct 17, 2024 · Oct 16, 2024
@@ -6,15 +6,9 @@ import data.builtin.aws.config.aws0019 as check
 import data.lib.test
 
 test_allow_all_regions if {
-	test.assert_empty(check.deny) with input as {"aws": {"config": {"configurationaggregrator": {
-		"__defsec_metadata": {"managed": true},
-		"sourceallregions": {"value": true},
-	}}}}
+	test.assert_empty(check.deny) with input as {"aws": {"config": {"configurationaggregrator": {"sourceallregions": {"value": true}}}}}
 }
 
 test_disallow_all_regions if {
-	test.assert_equal_message("Configuration aggregation is not set to source from all regions.", check.deny) with input as {"aws": {"config": {"configurationaggregrator": {
-		"__defsec_metadata": {"managed": true},
-		"sourceallregions": {"value": false},
-	}}}}
+	test.assert_equal_message("Configuration aggregation is not set to source from all regions.", check.deny) with input as {"aws": {"config": {"configurationaggregrator": {"sourceallregions": {"value": false}}}}}
 }
@@ -6,28 +6,19 @@ import data.builtin.aws.ec2.aws0099 as check
 import data.lib.test
 
 test_allow_sg_with_description if {
-	inp := {"aws": {"ec2": {"securitygroups": [{
-		"__defsec_metadata": {"managed": true},
-		"description": {"value": "test"},
-	}]}}}
+	inp := {"aws": {"ec2": {"securitygroups": [{"description": {"value": "test"}}]}}}
 
 	test.assert_empty(check.deny) with input as inp
 }
 
 test_disallow_sg_without_description if {
-	inp := {"aws": {"ec2": {"securitygroups": [{
-		"__defsec_metadata": {"managed": true},
-		"description": {"value": ""},
-	}]}}}
+	inp := {"aws": {"ec2": {"securitygroups": [{"description": {"value": ""}}]}}}
 
 	test.assert_equal_message("Security group does not have a description", check.deny) with input as inp
 }
 
 test_disallow_sg_with_default_description if {
-	inp := {"aws": {"ec2": {"securitygroups": [{
-		"__defsec_metadata": {"managed": true},
-		"description": {"value": "Managed by Terraform"},
-	}]}}}
+	inp := {"aws": {"ec2": {"securitygroups": [{"description": {"value": "Managed by Terraform"}}]}}}
 
 	test.assert_equal_message("Security group explicitly uses the default description", check.deny) with input as inp
 }
@@ -15,7 +15,4 @@ test_deny_not_encrypted_volume if {
 	test.assert_equal_message("EBS volume is not encrypted", check.deny) with input as inp
 }
 
-build_input(encryption) := {"aws": {"ec2": {"volumes": [{
-	"__defsec_metadata": {"managed": true},
-	"encryption": encryption,
-}]}}}
+build_input(encryption) := {"aws": {"ec2": {"volumes": [{"encryption": encryption}]}}}
@@ -15,7 +15,4 @@ test_deny_volume_without_cmk if {
 	test.assert_equal_message("EBS volume does not use a customer-managed KMS key.", check.deny) with input as inp
 }
 
-build_input(encryption) := {"aws": {"ec2": {"volumes": [{
-	"__defsec_metadata": {"managed": true},
-	"encryption": encryption,
-}]}}}
+build_input(encryption) := {"aws": {"ec2": {"volumes": [{"encryption": encryption}]}}}
@@ -6,35 +6,26 @@ import data.builtin.aws.sqs.aws0096 as check
 import data.lib.test
 
 test_allow_encrypted if {
-	inp := {"aws": {"sqs": {"queues": [{
-		"__defsec_metadata": {"managed": true},
-		"encryption": {
-			"kmskeyid": {"value": "alias/key"},
-			"managedencryption": {"value": true},
-		},
-	}]}}}
+	inp := {"aws": {"sqs": {"queues": [{"encryption": {
+		"kmskeyid": {"value": "alias/key"},
+		"managedencryption": {"value": true},
+	}}]}}}
 
 	test.assert_empty(check.deny) with input as inp
 }
 
 test_allow_without_key_but_managed if {
-	inp := {"aws": {"sqs": {"queues": [{
-		"__defsec_metadata": {"managed": true},
-		"encryption": {
-			"kmskeyid": {"value": ""},
-			"managedencryption": {"value": true},
-		},
-	}]}}}
+	inp := {"aws": {"sqs": {"queues": [{"encryption": {
+		"kmskeyid": {"value": ""},
+		"managedencryption": {"value": true},
+	}}]}}}
 }
 
 test_deny_unencrypted if {
-	inp := {"aws": {"sqs": {"queues": [{
-		"__defsec_metadata": {"managed": true},
-		"encryption": {
-			"kmskeyid": {"value": ""},
-			"managedencryption": {"value": false},
-		},
-	}]}}}
+	inp := {"aws": {"sqs": {"queues": [{"encryption": {
+		"kmskeyid": {"value": ""},
+		"managedencryption": {"value": false},
+	}}]}}}
 
 	test.assert_equal_message("Queue is not encrypted", check.deny) with input as inp
 }
@@ -7,7 +7,6 @@ import data.lib.test
 
 test_allow_encrypted_with_cmk if {
 	inp := {"aws": {"sqs": {"queues": [{
-		"__defsec_metadata": {"managed": true},
 		"name": "test-queue",
 		"encryption": {"kmskeyid": {"value": "key-id"}},
 	}]}}}
@@ -17,7 +16,6 @@ test_allow_encrypted_with_cmk if {
 
 test_deny_unencrypted_with_cmk if {
 	inp := {"aws": {"sqs": {"queues": [{
-		"__defsec_metadata": {"managed": true},
 		"name": "test-queue",
 		"encryption": {"kmskeyid": {"value": "alias/aws/sqs"}},
 	}]}}}

@@ -18,13 +18,3 @@ test_allow_compute_os_login_enabled if {
 	res := check.deny with input as inp
 	res == set()
 }
-
-test_allow_compute_os_login_is_not_managed if {
-	inp := {"google": {"compute": {"projectmetadata": {
-		"__defsec_metadata": {"managed": false},
-		"enableoslogin": {"value": false},
-	}}}}
-
-	res := check.deny with input as inp
-	res == set()
-}
@@ -32,7 +32,7 @@ import rego.v1
 
 deny contains res if {
 	some bucket in input.google.storage.buckets
-	bucket.__defsec_metadata.managed
+	isManaged(bucket)
 	bucket.encryption.defaultkmskeyname.value == ""
 	res := result.new("Storage bucket encryption does not use a customer-managed key.", bucket.encryption.defaultkmskeyname)
 }
@@ -6,20 +6,14 @@ import data.builtin.google.storage.google0066 as check
 import data.lib.test
 
 test_allow_bucket_with_customer_key if {
-	inp := {"google": {"storage": {"buckets": [{
-		"__defsec_metadata": {"managed": true},
-		"encryption": {"defaultkmskeyname": {"value": "key"}},
-	}]}}}
+	inp := {"google": {"storage": {"buckets": [{"encryption": {"defaultkmskeyname": {"value": "key"}}}]}}}
 
 	res := check.deny with input as inp
 	res == set()
 }
 
 test_deny_bucket_without_customer_key if {
-	inp := {"google": {"storage": {"buckets": [{
-		"__defsec_metadata": {"managed": true},
-		"encryption": {"defaultkmskeyname": {"value": ""}},
-	}]}}}
+	inp := {"google": {"storage": {"buckets": [{"encryption": {"defaultkmskeyname": {"value": ""}}}]}}}
 
 	res := check.deny with input as inp
 	count(res) == 1

@@ -33,7 +33,7 @@ import rego.v1
 
 deny contains res if {
 	some bucket in input.google.storage.buckets
-	bucket.__defsec_metadata.managed
+	isManaged(bucket)
 	bucket.enableuniformbucketlevelaccess.value == false
 	res := result.new("Bucket has uniform bucket level access disabled.", bucket.enableuniformbucketlevelaccess)
 }
@@ -6,20 +6,14 @@ import data.builtin.google.storage.google0002 as check
 import data.lib.test
 
 test_allow_uniform_bucket_level_access_enabled if {
-	inp := {"google": {"storage": {"buckets": [{
-		"__defsec_metadata": {"managed": true},
-		"enableuniformbucketlevelaccess": {"value": true},
-	}]}}}
+	inp := {"google": {"storage": {"buckets": [{"enableuniformbucketlevelaccess": {"value": true}}]}}}
 
 	res := check.deny with input as inp
 	res == set()
 }
 
 test_deny_uniform_bucket_level_access_disabled if {
-	inp := {"google": {"storage": {"buckets": [{
-		"__defsec_metadata": {"managed": true},
-		"enableuniformbucketlevelaccess": {"value": false},
-	}]}}}
+	inp := {"google": {"storage": {"buckets": [{"enableuniformbucketlevelaccess": {"value": false}}]}}}
 
 	res := check.deny with input as inp
 	count(res) == 1

@@ -32,15 +32,15 @@ import rego.v1
 
 deny contains res if {
 	some bucket in input.google.storage.buckets
-	bucket.__defsec_metadata.managed
+	isManaged(bucket)
 	some member in bucket.bindings[_].members
 	is_member_external(member.value)
 	res := result.new("Bucket allows public access.", member)
 }
 
 deny contains res if {
 	some bucket in input.google.storage.buckets
-	bucket.__defsec_metadata.managed
+	isManaged(bucket)
 	some member in bucket.members
 	is_member_external(member.member.value)
 	res := result.new("Bucket allows public access.", member.member)

@@ -6,29 +6,20 @@ import data.builtin.google.storage.google0001 as check
 import data.lib.test
 
 test_allow_bucket_does_not_allow_public_access if {
-	inp := build_input({
-		"__defsec_metadata": {"managed": true},
-		"bindings": [{"members": [{"value": "user:[email protected]"}]}],
-	})
+	inp := build_input({"bindings": [{"members": [{"value": "user:[email protected]"}]}]})
 	res := check.deny with input as inp
 	res == set()
 }
 
 test_deny_bucket_allows_public_access_members if {
-	inp := build_input({
-		"__defsec_metadata": {"managed": true},
-		"bindings": [{"members": [{"value": "allAuthenticatedUsers"}]}],
-	})
+	inp := build_input({"bindings": [{"members": [{"value": "allAuthenticatedUsers"}]}]})
 
 	res := check.deny with input as inp
 	count(res) == 1
 }
 
 test_deny_bucket_allows_public_access_bindings if {
-	inp := build_input({
-		"__defsec_metadata": {"managed": true},
-		"bindings": [{"members": [{"value": "allAuthenticatedUsers"}]}],
-	})
+	inp := build_input({"bindings": [{"members": [{"value": "allAuthenticatedUsers"}]}]})
 
 	res := check.deny with input as inp
 	count(res) == 1