Skip to content

feat(query): implements "Beta - SQL DB Instance Without Connections Logging" #7779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Nov 5, 2025
Merged

feat(query): implements "Beta - SQL DB Instance Without Connections Logging" #7779

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
5fefbc8
initial implementation
cx-andre-pereira Oct 20, 2025
9374d90
fixes
cx-andre-pereira Oct 20, 2025
657957f
support for single object
cx-andre-pereira Oct 22, 2025
b185cab
Merge branch 'master' into AST-116624_11_6.2_PostgreSQL_Database_ensu…
cx-andre-pereira Oct 27, 2025
b6fba57
fixed tests
cx-andre-pereira Oct 27, 2025
a739327
Merge branch 'master' of https://github.com/Checkmarx/kics into AST-1…
cx-andre-pereira Oct 28, 2025
4f1ac67
simId transition update
cx-andre-pereira Oct 28, 2025
9c67929
Merge branch 'master' into AST-116624_11_6.2_PostgreSQL_Database_ensu…
cx-artur-ribeiro Oct 31, 2025
f7abdf1
Merge branch 'master' into AST-116624_11_6.2_PostgreSQL_Database_ensu…
cx-andre-pereira Nov 5, 2025
842354c
Merge branch 'master' into AST-116624_11_6.2_PostgreSQL_Database_ensu…
cx-andre-pereira Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"id": "fc7187e5-b9a2-46c0-950d-3bfcaaacc5ca",
"queryName": "Beta - SQL DB Instance Without Connections Logging",
"severity": "MEDIUM",
"category": "Observability",
"descriptionText": "All 'google_sql_database_instance' resources based on POSTGRES should enable the 'log_connections' flag to log connection attempts",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1",
"platform": "Terraform",
"descriptionID": "fc7187e5",
"cloudProvider": "gcp",
"cwe": "778",
"riskScore": "3.0",
"experimental": "true"
}
85 changes: 85 additions & 0 deletions assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
package Cx

import data.generic.common as common_lib
import data.generic.terraform as tf_lib

CxPolicy[result] {
resource := input.document[i].resource.google_sql_database_instance[name]

contains(resource.database_version, "POSTGRES")
results := get_results(resource, name)

result := {
"documentId": input.document[i].id,
"resourceType": "google_sql_database_instance",
"resourceName": tf_lib.get_resource_name(resource, name),
"searchKey": results.searchKey,
"issueType": results.issueType,
"keyExpectedValue": results.keyExpectedValue,
"keyActualValue": results.keyActualValue,
"searchLine": results.searchLine
}
}

get_results(resource, name) = results {
not common_lib.valid_key(resource, "settings")

results := {
"searchKey": sprintf("google_sql_database_instance[%s]", [name]),
"issueType": "MissingAttribute",
"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]),
"keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]),
"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], [])

}
} else = results {
not common_lib.valid_key(resource.settings, "database_flags")

results := {
"searchKey": sprintf("google_sql_database_instance[%s].settings", [name]),
"issueType": "MissingAttribute",
"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]),
"keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]),
"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], [])
}

} else = results {
not has_flag(resource.settings.database_flags)

results := {
"searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]),
"issueType": "MissingAttribute",
"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]),
"keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'log_connections'", [name]),
"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], [])
}

} else = results { # array
resource.settings.database_flags[x].name == "log_connections"
resource.settings.database_flags[x].value != "on"

results := {
"searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]),
"keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_connections' to '%s'", [name, resource.settings.database_flags[x].value]),
"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], [])
}
} else = results { # single object
resource.settings.database_flags.name == "log_connections"
resource.settings.database_flags.value != "on"

results := {
"searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags.name", [name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]),
"keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_connections' to '%s'", [name, resource.settings.database_flags.value]),
"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], [])
}
}

has_flag(database_flags) {
database_flags[_].name == "log_connections"
} else {
database_flags.name == "log_connections"
}
49 changes: 49 additions & 0 deletions assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/negative.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
resource "google_sql_database_instance" "negative_1" {
name = "main-instance"
database_version = "MYSQL_8_0" # Is not a POSTGRES instance
region = "us-central1"

settings {
tier = "db-f1-micro"
}
}

resource "google_sql_database_instance" "negative_2" {
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"

settings {
tier = "db-f1-micro"

database_flags {
name = "sample_flag1"
value = "off"
}

database_flags {
name = "log_connections" # Has flag set to "on"
value = "on"
}

database_flags {
name = "sample_flag2"
value = "off"
}
}
}

resource "google_sql_database_instance" "negative_3" { # Single object support test
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"

settings {
tier = "db-f1-micro"

database_flags {
name = "log_connections"
value = "on"
} # Has flag set to "on"
}
}
64 changes: 64 additions & 0 deletions assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
resource "google_sql_database_instance" "positive_1" {
name = "mysql-instance-without-flag"
database_version = "POSTGRES_17"
region = "us-central1"

# Missing 'settings' field
}

resource "google_sql_database_instance" "positive_2" {
name = "postgres-instance-without-flag"
database_version = "POSTGRES_16"
region = "us-central1"

settings {} # Missing 'database_flags' field
}

resource "google_sql_database_instance" "positive_3" {
name = "postgres-instance-without-flag"
database_version = "POSTGRES_15"
region = "us-central1"

settings {
database_flags {
name = "sample_flag1"
value = "off"
} # Missing 'log_connections' flag
}
}

resource "google_sql_database_instance" "positive_4" {
name = "postgres-instance-with-flag"
database_version = "POSTGRES_14"
region = "us-central1"

settings {
database_flags {
name = "sample_flag1"
value = "off"
}

database_flags {
name = "log_connections" # Flag is not set to "on"
value = "off"
}

database_flags {
name = "sample_flag2"
value = "off"
}
}
}

resource "google_sql_database_instance" "positive_5" { # Single object support test
name = "postgres-instance-with-flag"
database_version = "POSTGRES_14"
region = "us-central1"

settings {
database_flags {
name = "log_connections"
value = "off"
} # Flag is not set to "on"
}
}
27 changes: 27 additions & 0 deletions ...raform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
[
{
"queryName": "Beta - SQL DB Instance Without Connections Logging",
"severity": "MEDIUM",
"line": 1
},
{
"queryName": "Beta - SQL DB Instance Without Connections Logging",
"severity": "MEDIUM",
"line": 14
},
{
"queryName": "Beta - SQL DB Instance Without Connections Logging",
"severity": "MEDIUM",
"line": 23
},
{
"queryName": "Beta - SQL DB Instance Without Connections Logging",
"severity": "MEDIUM",
"line": 42
},
{
"queryName": "Beta - SQL DB Instance Without Connections Logging",
"severity": "MEDIUM",
"line": 60
}
]
4 changes: 4 additions & 0 deletions assets/similarityID_transition/terraform_gcp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,7 @@ similarityIDChangeList:
queryName: Beta - Google DNS Policy Logging Disabled
observations: ""
change: 2
- queryId: fc7187e5-b9a2-46c0-950d-3bfcaaacc5ca
queryName: Beta - SQL DB Instance Without Connections Logging
observations: ""
change: 2
Loading